Salta al contenuto

DIRITTI E PREVENZIONE > COME TUTELARE LA TUA PRIVACY

ricerca avanzata

Authorisation for the Transfer of Personal Data to Third Countries in Compliance with Standard Contractual Clauses - 10 october 2001 [1669728]

SCHEDA
Garante per la protezione dei dati personali
Doc-Web:
1669728
Data:
10/10/01

[doc. web n. 1669728]

Trasferimento dei dati personali all'estero - Autorizzazione al trasferimento verso Paesi senza adeguato livello di protezione 

Authorisation for the Transfer of Personal Data to Third Countries in Compliance with Standard Contractual Clauses - 10 october 2001

Garante per la protezione dei dati personali

Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr Mauro Paissan, members, and Mr Giovanni Buttarelli, Secretary General, having convened today,

Having regard to Article 25 of directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, providing that personal data may be transferred to a country outside the European Union if the third country in question ensures an adequate level of protection, as set forth in paragraph 2 of the abovementioned Article,

Having regard to Article 26 of the abovementioned directive, laying down derogations from said principle and also providing that a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection, where the data controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights, such safeguards also resulting from appropriate contractual clauses,

Having regard to paragraph 4 of said Article 26, concerning the European Commission's decisions on standard contractual clauses,

Having regard to the European Commission's decision of 15 June 2001, no. 2001/497/EC as published on the Official Journal of the European Communities L181 of 4 July 2001, according to which certain standard contractual clauses, attached to said decision, offer sufficient safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights for the transfer of personal data to third countries as required by directive 95/46/EC,

Whereas Member States are required to take the necessary measures to comply with the Commission's decision in pursuance of paragraph 4 of said Article 26 of the directive,

Having regard to Article 28 of Act no. 675 of 31 December 1996, providing that the transfer of personal data to third countries may take place a) where the laws of the country of destination or transit ensure an adequate level of protection of individuals or, with respect to sensitive data or certain categories of judicial data, a level of protection that is equal to the one ensured by Italian laws, b) in the cases referred to in paragraph 4 of Article 28, or c) where it is authorised by the Garante on the basis of adequate safeguards for the data subject's rights, which may result from contractual arrangements (paragraph 4, subheading g) ),

Whereas it is necessary to take the measures required to implement the Commission's decision, as provided for by said Article 28,

Whereas the abovementioned standard contractual clauses – which the Commission has drafted by including 11 clauses and 3 Annexes, also based on the favourable opinion given by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of the directive – offer safeguards with respect to data subjects' rights that can be considered adequate in pursuance of Article 28(4), subheading g),

Whereas the entities using the above contractual clauses may lay down further safeguards for the individuals to whom the data refer, in addition to the minimum safeguards that are set forth in said clauses,

Whereas the Commission's decision only applies to the transfer of data that is performed from the State's territory by a controller established in the Community (data exporter) to another controller (data importer), and other standard contractual clauses will be laid down in a subsequent decision concerning the transfer of data by a controller established in the Community to a processor acting on the controller's behalf,

Whereas it is necessary to publicise further the abovementioned contractual clauses by having them published on the Official Journal of the Italian Republic as an Annex to this authorisation,

Whereas it is necessary to lay down a few specifications in pursuance of the tasks committed to this authority by Article 28 of the directive and Act no. 675/1996, which have been also referred to in the Commission's decision, to the extent required for initially implementing this authorisation,

Whereas the possibility for the Garante to play, on a case by case basis, the mediation role that is referred to in clause 7, paragraph 1, subheading a), of the Commission's decision, is hereby left unprejudiced,

Whereas this is without prejudice to the possibility for the Garante to specify additional requirements and mechanisms on the basis of the experience gathered in implementing the clauses, also at Community level,

Having regard to official records,

Having regard to the considerations made by the Secretary General on behalf of the authority, as required by Article 15 of Regulations no. 1/2000,

Acting on the report submitted by Prof. Rodotà,

THE GARANTE HEREBY

1) authorises, as of 3 September 2001, the transfer of personal data from the State's territory to countries outside the European Union, where it is performed on the basis of and in compliance with the standard contractual clauses annexed to the European Commission's decision of 15 June 2001, no. 2001/497/EC, on condition that:

a) the data exporter and the data importer refer to or incorporate the clauses in the data transfer contract so as to make them also recognisable for the individuals to whom the data refer, where they request to be informed about the clauses; additionally, they may not lay down contractual provisions that impose limitations on or contradict the standard contractual clauses (see Clause no. 4, letter c) and no. 5, letter e), and Recital no. 5 in the Commission's decision),

b) a copy of the data transfer contract and additional information as required will only be made available to the Garante if the latter so requests (see Clauses no. 4, 5 and 8, and Article 31(2) of Act no. 675/1996),

c) the decision made in case a dispute cannot be resolved amicably and is referred to an entity other than the Garante or judicial authority is notified to the Garante (see Clause 7(2) and (1), lett, a), and Article 31(2) of Act no. 675/1996);

2) reserves the right to perform the necessary controls and take action possibly by suspending or  prohibiting the transfer in pursuance of Act no. 675/1996 and Community law (see Article 4 and Recital no. 15 in the Commission's decision);

3) orders that this authorisation and the Commission's decision annexed hereto be sent to the Publishing Department at the Ministry of Justice for them to be printed on the Official Journal of the Italian Republic.

Done in Rome, this 10th day of October 2001

The President
Rodotà

The Rapporteur
Rodotà

The Secretary General
Buttarelli