UWAGA!

Od 25 maja 2018 r. organem właściwym w zakresie ochrony danych osobowych jest Prezes Urzędu Ochrony Danych Osobowych. Nowa strona internetowa urzędu jest dostępna pod adresem: www.uodo.gov.pl.

Materiały zamieszczone na stronie Generalnego Inspektora Ochrony Danych Osobowych (GIODO) dostępnej pod adresem www.giodo.gov.pl mają charakter archiwalny.

POZOSTAŃ NA STRONIE ARCHIWALNEJ (GIODO)

Who is to assess whether the prerequisites of the transfer of personal data to a third country have been fulfilled?

The prerequisites of the data transfer to a third country, that is to the country that is not a member of the European Economic Area are set in Article 47 of the Act on the Protection of Personal Data. Paragraph 1 of this Article states that the transfer of the personal data to a third country can be carried out only if the country of destination ensures at least the same level of personal data protection in its territory as that in the territory of the Republic of Poland. It can be found also in the Directive of the European Parliament and the Council (95/46/EC) on the protection of individuals with regard to the processing of personal data and on the free movement of such data. According to Article 25 paragraph 1 of the Directive the transfer may take place only, if the third country ensures the adequate level of protection.

Data controller is obliged to independently assess, whether the prerequisites that allow the transfer of the personal data to the third country have been fulfilled, and during the assessment the controller shall take into consideration all of circumstances connected with the transfer of personal data, such us the kind of data, the country of origin or the provisions of law in the country of destination.

The Inspector General for Personal Data Protection does not issue any decisions concerning this matter.

Article 29 Data Protection Working Party - the independent advisory body consisting of the European Data Protection Commissioners - in the opinion issued on July, 24 1998 WP 12, stated that the controller during the assessment of the level of data protection in the third country shall take into consideration two elements: the contents of the provisions concerning data processing and the security means ensuring the proper execution of these provisions. The Working Party determined the full list of rules (the text of the opinion is available on the website www.europa.eu.int, in section (documents adopted, year 1998).

The Commission by virtue of Article 25 paragraph 6 of the Directive has a right to issue a decision that the third country ensures the adequate level of data protection which results from its domestic law or international commitments.

The decision of the Commission that the third country ensures the adequate level of data protection is tantamount to the admission that the country ensures the same level of protection as on the territory of the Republic of Poland (more specific information available on www.europa.eu.int/com/).

The rule that states that the data transfer to the third country may take place only if this country ensures the proper level of protection is not valid if the duty of transfer of data outside the territory of the Republic of Poland results from the provisions of law or international commitments.

The data controller has a right to transfer data to the third country if he becomes a written consent of the data subject or fulfilled some of the other prerequisites given in Article 47 paragraph 3 of the Act on the Protection of Personal Data.

If the earlier mentioned prerequisites are not fulfilled, and the country of destination does not ensure the proper level of data protection the transfer may take place only, if the Inspector General for Personal Data Protection has given the consent and the controller ensures the proper level of protection of the private lives and basic freedoms of the data subject.

Last news