Principles of Transfer under GDPR…Beyond Adequacy

Under GDPR, there is a provision for the Union to declare a third country as a country to which transfer of personal data of EU citizens can be freely permitted without need for further formalities if the country has been assessed for adequate data protection regulations.

As we have discussed in our previous article   despite India passing its own Data Protection Act (Expected in the next few months) which may incorporate all the data protection principles recognized under the GDPR, it is unlikely that India will ever be able to reach this status or it would be desirable to work for this since it would subordinate the sovereignty of India to EU regulations.

However, not being assessed for “Adequacy” is not considered critical since there are other means by which Indian Corporates may continue to work with the Data Controllers of EU and be Data Processors through any of the following means.

Appropriate Safeguards (Art 46)

Under Article 46,  a controller or processor may transfer personal data to a third country if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

Such safeguard may be provided by

(a) a legally binding and enforceable instrument
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

 Subject to the authorisation from the competent supervisory authority, the appropriate safeguards may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

Thus, by structuring the Data Processing Contract properly and the Data Controller getting it approved from his supervisory authority, it is possible to work around the transfer restrictions under GDPR. The final word on acceptability of the terms may however lie with the “Committee” of the Union that may give out further guidelines or the Supervisory Authority which approves the contractual clauses.

Indian Companies however have to watch out for the “Indemnity” clause and ensure that the Data Controller does not introduce an indemnity clause without a limit and in excess of the financial risk absorption capacity of the Data Processor.

Since any payout f a penalty by the Indian Data Processor in foreign currency  also affects the Foreign Exchange Regulations of the Country through FEMA, a control can also be exercised if RBI uses the FEMA appropriately to prohibit any payments in excess of the earnings out of a contract except with the prior permission of the Indian Financial Regulator.

(Discussions to continue)


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.