European Data Protection Board clarifies rules for data sharing with third country authorities and approves EU Data Protection Seal certification

During its latest plenary, the European Data Protection Board (EDPB) published guidelines on Art.48 GDPR about data transfers to third country authorities and  approved a new European Data Protection Seal.

Αs stated in a press release from the EDPB, in a highly interconnected world, organisations receive requests from public authorities in other countries to share personal data. The sharing of data can, for instance, be of help to collect evidence in the case of crime, to check financial transactions or approve new medications.

When a European organisation receives a request for a transfer of data from a ‘third country’ (i.e. non-European countries) authority, it must comply with the General Data Protection Regulation (GDPR). In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to such requests. In this way, the guidelines help organisations to make a decision on whether they can lawfully transfer personal data to third country authorities when asked to do so.

Judgements or decisions from third countries authorities cannot automatically be recognised or enforced in Europe. If an organisation replies to a request for personal data from a third country authority, this data flow constitutes a transfer and the GDPR applies. An international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case by case basis.

The guidelines are subject to public consultation until 27 January 2025.

Approval of EU Data Protection Seal

During the plenary meeting, the Board also adopted an opinion approving the Brand Compliance certification criteria concerning processing activities by controllers or processors. In September 2023, the Board already adopted an opinion on the approval of the Brand Compliance national certification criteria, making them officially recognised certification criteria in the Netherlands for data processing by organisations. The approval of the new opinion means that these criteria will now be applicable across Europe and as a European Data Protection Seal.

GDPR certification helps organisations demonstrate their compliance with data protection law. This transparency helps people trust the product, service, process or system for which organisations process their personal data. (source:edpb.europa.eu/photo freepik.com)

Comments

Post a Comment

Editorial

Editorial
George Kazoleas, Lawyer

Top Stories

Ombudsman inquiry on Commission President’s text messages is a wake-up call for EU

Image
The European Ombudsman inquiry into the Commission’s handling of a request for text messages between its President and the CEO of a pharmaceutical company is a wake-up call for all EU institutions about ensuring accountability in an era of instant messaging. One year after the initial request by a journalist, the Commission has still not clarified whether messages reported to concern major vaccine procurement deals exist and whether the public is entitled to see them. The Ombudsman had asked the Commission, in a finding of maladministration in January, to conduct a more thorough search for the text messages. The Commission’s recent response failed to say whether it had looked directly and correctly for the text messages and if not, why not. While the response recognised that work-related text messages can be EU documents, it reiterated that the Commission’s internal policy is, in effect, not to register text messages. The Ombudsman has closed  the inquiry  and upheld...
Read more

Intellectual property: the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark

Image
In its Judgment in Case T-82/24 (Administration of the State Border Guard Service of Ukraine v EUIPO) (RUSSIAN WARSHIP, GO F**K YOURSELF) the General Court ruled that the figurative sign consisting of the phrase ‘RUSSIAN WARSHIP, GO F* *K yourself’ in Russian and English cannot be registered as an EU trade mark. That phrase, which has become a symbol of Ukraine’s fight against Russian aggression, is not perceived as an indication of a commercial origin.  The Administration of the State Border Guard Service of Ukraine (Kyiv, Ukraine) requests the General Court of the European Union to annul the decision of the European Union Intellectual Property Office (EUIPO) of 1 st December 2023, which refused registration of the following figurative sign as an EU trade mark: ‘RUSSIAN WARSHIP, GO F* *K yourself’ That mark is a war cry uttered by the Ukrainian border guard on Snake Island on 24th February 2022, the first day of the full-scale Russian invasion of Ukraine. Registration was sou...
Read more

Prohibiting contact between children and their mother in custody and contact rights case was unjustified (ECtHR)

Image
The case of X and Others v. Slovenia (application nos. 27746/22 and 28291/22) concerned custody decisions and contact rights following the separation of X from her children’s father in 2018. It also concerned the reassignment of X’s court case to a particular judge.  In Chamber's judgment in the case, the European Court of Human Rights held, unanimously, that there had been a violation of Article 6 § 1 (right to a fair trial) of the European Convention on Human Rights, as regards X’s right to a tribunal established by law, and violations of Article 8 (right to respect for private and family life) with respect both to:  - the applicant children, as regards the order to remove them from X’s (their mother’s) care in March 2020, their not being represented in the contact and custody proceedings, and their not being allowed contact with their mother;  - X, for not being allowed contact with her children.  The Court found in particular that the President of the District Co...
Read more

ECtHR elects a new Vice-President of the Court and two new Section Presidents

Image
The European Court of Human Rights has elected on 23.9.2024 a new Vice-President of the Court – Judge Ivana Jelić (elected in respect of Montenegro). She will take up her duties on 1 November 2024.  The Court has also elected at the same date two new Section Presidents – Judges Lado Chanturia (elected in respect of Georgia) and Ioannis Ktistakis (elected in respect of Greece). They will also take up their duties on 1 November 2024. Ivana Jelić was born on 17 March 1975 in Podgorica, Montenegro and was elected Judge of the European Court of Human Rights on 12 July 2018. Lado Chanturia was born on 14 April 1963 in Tsalenjikha, Georgia, was elected Judge of the European Court of Human Rights on 8 January 2018 and is Vice-President of Section since 18 May 2023. Ioannis Ktistakis was born on 3 January 1971 in Thebes, Greece and was elected Judge of the European Court of Human Rights on 8 March 2021. (source/photo: echr.coe.int) Read more here
Read more

European Ombudsman asks Commission to publish details of its handling of senior staff move to law firm

Image
The European Ombudsman has asked the European Commission to publish details about how it has handled the planned move by a former director in its competition department to the Brussels office of a US corporate law firm as a partner. Any restrictions that have been placed on the activities of the former director to mitigate potential conflicts of interest should be made public without delay, said the Ombudsman. She noted that public information about the move came from the law firm and gives the impression that the Commission has allowed a senior official to work for a company that anticipates major benefits from their inside knowledge.  The Ombudsman also noted that the Commission declined to give details about the individual’s professional experience despite the fact that the law firm itself has put out a press release detailing it. The Ombudsman has previously criticised a tendency in the EU administration to underestimate the potential negative effects of staff moves to th...
Read more

A national court is not required to apply a decision of its constitutional court that infringes EU law (ECJ)

Image
In its Judgment of 26.9.2024 in Case C-792/22 (Energotehnica) the Court of Justice ruled as regards the right to an effective remedy that a national court is not required to apply a decision of its constitutional court that infringes EU law. In such a case, the national court may not be penalised.  Following the death of an electrician by electrocution during a maintenance operation, an administrative procedure was initiated against his employer. At the same time, criminal proceedings for negligence and manslaughter were initiated against the supervisor. The victim’s next of kin also became civil parties to the criminal proceedings.  The administrative court hearing the dispute concluded that the present case did not involve an ‘accident at work’. It annulled the administrative penalties imposed on the employer. According to national legislation, as interpreted by the Romanian Constitutional Court, that administrative decision prevents the criminal court from reconsidering whe...
Read more