g-docweb-display Portlet

Authorisation for the Transfer of Personal Data to Organisations Established in the United States of America in Compliance with the Safe Harbor Pr...

Stampa Stampa Stampa
PDF Trasforma contenuto in PDF

 

PRESS RELEASE (6 NOVEMBER 2015): Data Transfers to the USA: the "Safe Harbor" Authorisation is Invalid

 

[doc. web n. 1669652]

 

Trasferimento dei dati personali all´estero  - Autorizzazione al trasferimento verso gli Stati Uniti d´America (´Safe Harbor´)

Authorisation for the Transfer of Personal Data to Organisations Established in the United States of America in Compliance with the "Safe Harbor Privacy Principles" - 10 october 2001

PRESS RELEASE 6 NOVEMBER 2015: Data Transfers to the USA: the "Safe Harbor" Authorisation is Invalid

 

Garante per la protezione dei dati personali

Prof. Stefano Rodotà, President, Prof. Giuseppe Santaniello, Vice-President, Prof. Gaetano Rasi and Mr Mauro Paissan, members, and Mr Giovanni Buttarelli, Secretary General, having convened today,

Having regard to Article 25(1) and (2) of directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, providing that personal data may be transferred to a country outside the European Union if the third country in question ensures an adequate level of protection, as set forth in paragraph 2 of the abovementioned Article,

Having regard to Article 25(6) of the abovementioned directive, providing that the European Commission may find that a third country ensures an adequate level of protection within the meaning of paragraph (2) above for the protection of the private lives and the rights and fundamental freedoms of individuals,

Having regard to the European Commission´s decision of 26 July 2000, no. 2000/520/EC as published on the Official Journal of the European Communities L215 of 25 August 2000 and L115 of 25 April 2001, according to which the "Safe Harbor Privacy Principles" annexed to said decision, implemented in accordance with the guidance provided by the "Frequently Asked Questions (FAQ)" also annexed to the above decision, ensure an adequate level of protection  for personal data transferred from the Community to organisations established in the United States having regard to the documents issued by the US Department of Commerce as mentioned therein,

Whereas Member States are required to take the necessary measures to comply with the Commission´s decision in pursuance of paragraph 6 of said Article 25 of the directive,

Having regard to Article 28 of Act no. 675 of 31 December 1996, providing that the transfer of personal data to third countries may take place a) where the laws of the country of destination or transit ensure an adequate level of protection of individuals or, with respect to sensitive data or certain categories of judicial data, a level of protection that is equal to the one ensured by Italian laws, b) in the cases referred to in paragraph 4 of Article 28, or c) where it is authorised by the Garante on the basis of adequate safeguards for the data subject´s rights, which may result from contractual arrangements (paragraph 4, subheading g) ),

Whereas it is necessary to take the measures required to implement the Commission´s decision, as provided for by said Article 28, pending the full transposition of directive no. 95/46/EC,

Whereas the seven Principles annexed to the above Decision as particularised in 15 FAQs, which have also been the subject of opinions and considerations by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of the directive, offer safeguards for the data subjects´ rights that must be considered adequate as required by Community law within the meaning of Article 28(4), subheading g), of Act no. 675/1996,

Whereas the entities applying the above Principles may lay down further safeguards for the individuals to whom the data refer, in addition to the minimum safeguards that are set forth in said Decision,

Whereas the Commission´s decision may be adapted in the light of experience with its implementation and/or new requirements made by US legislation (see Article 4),

Having regard to Articles 2 and 3 in the Commission´s decision concerning controls and measures by data protection authorities of Member States on lawfulness and fairness of data transfers and data processing operations preceding said transfers, also in the light of the provisions made in Article 4 of Directive 95/46/EC on the national law applicable,

Having regard to FAQ no. 5, on the role to be played by data protection authorities of Member States in cooperation with US organisations receiving personal data from the European Union, also within the framework of an informal panel of authorities established at European level, of which the Garante intends to be a member,

Whereas the data protection authorities of Member States as represented in the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC have agreed to include FAQ no. 5 in the package of measures laid down by the Commission´s decision,

Whereas it is necessary to publicise further the abovementioned Principles by having them published on the Official Journal of the Italian Republic as an Annex to this authorisation,

Having regard to official records,

Having regard to the considerations made by the Secretary General on behalf of the authority, as required by Article 15 of Regulations no. 1/2000,

Acting on the report submitted by Prof. Giuseppe Santaniello,

THE GARANTE HEREBY

1) authorises the transfer of personal data from the State´s territory to organisations established in the United States, where it is performed on the basis of and in compliance with the "Safe Harbor Privacy Principles", implemented in accordance with the guidance provided in the "Frequently Asked Questions (FAQ)" and the additional documents annexed to the European Commission´s decision no. 2000/520/EC of 26 July 2000;

2) reserves the right to perform the necessary controls on lawfulness and fairness of data transfers and processing operations preceding said transfers as well as on compliance with the abovementioned Principles, in pursuance of Community laws, Act no. 675/1996, Article 3 of the Commission´s decision and FAQ no. 5 attached thereto, and to take action possibly by suspending or  prohibiting the transfer;

3) orders that this authorisation and the Commission´s decision annexed hereto be sent to the Publishing Department at the Ministry of Justice for them to be printed on the Official Journal of the Italian Republic.

Done in Rome, this 10th day of October 2001

The President
Rodotà

The Rapporteur
Santaniello

The Secretary General
Buttarelli