14 October 2016

Transfer of personal data to third countries for research

Here follows a general description of the legal requirements of transferring personal data to third countries for research.

Notwithstanding the possibility of transferring personal data to a third party, a personal data controller in Sweden must always comply with all the other requirements stipulated in the Swedish Personal Data Act (PUL, 1998:204). These include the basic requirements regarding the processing of personal data and the rules concerning when such processing is even permitted.

The personal data controller must therefore first determine whether the processing entailed in the transfer is even legal, and then if it is relevant to assess what is required for a transfer to a specific third country. This document only deals with the latter.

General rule

A transfer to a third country means that personal data processed in an EU or EEA country is made accessible in a country outside the EU/EEA. Third-country rules thus do not apply to transfers within the EU/EEA. Section 33 of the Personal Data Act stipulates that a transfer may only be made to a third country if the country has an adequate level of protection for personal data. Under section 33, paragraph 2, all circumstances surrounding the transfer must be taken into account in the assessment of adequate protection level.

The European Commission has analysed the data protection rules in various countries and determined that the level of protection is adequate in the following countries:

  • Argentina
  • Bailiwick of Guernsey
  • The Faeroe Islands
  • Isle of Man
  • Jersey
  • Switzerland

The European Commission has also determined that the level of protection is adequate in certain areas or under certain conditions in:

  • Canada: if their legislation for the protection of personal data in the private sector is applicable to the recipient’s processing of personal data

National Quality Registries

The European Commission Decisions are listed in Appendix 1 of the Swedish Personal Data Ordinance. The Ordinance also stipulates that the transfer of personal data is permitted in such cases. However, the applicant’s own assessment that the country has an adequate level of protection is probably not sufficient for the approved transfer of personal data to a third country.

Exemptions

Even if the third country does not have an adequate level of protection, under sections 34-35 of the Personal Data Act, the transfer of personal data may still be permitted. The following relevant exemptions for the transfer of personal data for research are permitted under section 34 of the Personal Data Act:

  • The consent of the registered person
  • The country has acceded to the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, no. 108, 1981. This exemption only applies when the data will only be used in that country. The following website lists the countries that have acceded and ratified the convention:

Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, Council of Europe

Under section 35 of the Personal Data Act, personal data may be transferred to a third country if this is permitted by regulation or special decision by the Swedish government or by the Swedish Data Inspection Board.

Such regulations or decisions require adequate guarantees that the rights of the registered parties are protected. Under section 13 of the Personal Data Ordinance, it is permitted to transfer personal data to a third country if this is supported by standard contractual clauses approved by the European Commission. No permit from the Swedish Data Inspection Board is necessary.

Standard contractual clauses are contractual clauses with obligations for both the personal data controllers who want to transfer data to a third country and the personal data controllers or processors receiving the data. The clauses also regulate other issues, such as the registered parties’ rights and how disputes arising from the agreement will be resolved.

The purpose of the contractual clauses is to provide sufficient guarantees that the individual’s rights will be protected in the transfer of personal data to countries that do not have adequate levels of protection.

Three alternatives for standard contractual clauses

There are three alternatives for standard contractual clauses: Two apply to transfers to personal data controllers in third countries. Both of these contracts can be used and there are no significant differences between them. However, contract 2 is often found to be simpler. Below are direct links to the decisions with the standard contractual clauses annexed. You can download the PDF documents in both English and Swedish:

1. Standard contractual clauses for the transfer of personal data to third countries (English)external link, opens in new window

Standardavtalsklausuler för överföring av personuppgifter till tredje land (Swedish)external link, opens in new window

2. Amending Decision as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (English)external link, opens in new window

Ändring av beslut om standardavtalsklausuler för överföring av personuppgifter till tredje land (Swedish)external link, opens in new window

The third alternative concerns the transfer of data to personal data processors in third countries. Below are direct links to the decision with the standard contractual clauses annexed in Word documents:

3. Standard contractual clauses for the transfer of personal data to processors established in third countries (English)

Överföring av personuppgifter till registerförare etablerade i tredjeland (Swedish)

For further information on the contractual clauses, please see:
Opinions and recommendations from The European Commission

BBC News: EU watchdogs permit Privacy Shield to run for one year

2016-07-26

The new EU-US data-sharing agreement will be able to run for at least a year, European regulators have announced.

The Privacy Shield allows companies to transfer personal data from the EU to the United States. EU governments approved the pact earlier this month, but 28 data protection authorities had yet to comment.

They have now said they will not challenge the deal for at least a year. This means that no legal objection to the framework will be launched until it has had time to go through its first annual review next summer.

The Privacy Shield replaces an arrangement known as Safe Harbour, which was struck down in October 2015 after leaks showed data was subject to US.

Read the full article: EU watchdogs permit Privacy Shield to run for one year

Hjälpte informationen på sidan dig?


User information

Tack för att du hjälper oss!