A guide to the Data protection rules regarding transferring data to third countries.
Transferring Personal Data to Third Countries
Transfer of Data to Third Countries
A Summary of the Data Protection Rules
Section II of the Data Protection Acts 1988 and 2003 specifies conditions that must be met before personal data may be transferred to third countries. The main points of the rules are briefly summarised below:
- Organisations that transfer personal data from Ireland to third countries ? i.e. places outside of the European Economic Area (EEA) ? will need to ensure that the country in question provides an adequate level of data protection. Some third countries have been approved for this purpose by the EU Commission. The US ?Safe Harbour? arrangement has also been approved, for US companies which agree to be bound by its data protection rules. In the case of countries that have not been approved in this way, there are a number of different measures that a data controller must take to meet this requirement. These measures include obtaining the consent of the individuals in question, or alternatively using EU-approved ?model contracts? which contain data protection safeguards.
- The rules clarify the level of security measures that organisations must have in place to protect personal data. Generally speaking, organisations must take all necessary and reasonable steps, having regard to the state of current technology, and to the sensitivity of the personal data in question.
- If you retain the services of an agent to process personal data on your behalf ? a ?data processor? ? then you must use a contract in writing (or equivalent form) which deals adequately with issues of security, confidentiality and other data protection matters.
- The Acts apply to all data controllers ?established in Ireland? ? this includes any foreign data controllers which operate through an Irish intermediary. The Act also applies to data controllers established outside the EEA which use equipment in Ireland to process personal data. These non-EEA data controllers must designate a representative in Ireland.
Note:The European Economic Area is made up of the EU countries plus Norway, Iceland and Liechtenstein.
For further information please visit the Data Protection Commissioner's website.