Chapter 11 (Articles 76-78) of the Act on the protection of personal data of 6 July 2000 establishes a special regime for the transfer of personal data from the Netherlands to a third country. A third country is a country outside the EU. The requirements laid down in Articles 76 to 78 have been adopted to implement the provisions of Chapter IV of EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
This Directive has a double objective: on the one hand, it aims to create a high level of protection of the right to privacy with respect to the processing of personal data and, on the other hand, it aims to ensure the free movement of such data within the European Union . When personal data are to be transferred to a third country the Directive makes this transfer subject to special conditions. A transfer can only take place if the requirements imposed by the Directive are respected.
This policy paper aims to offer guidance concerning the application and interpretation of this chapter of the Wbp to all those intending to transfer personal data to third countries. In order to facilitate understanding of the paper, examples will be used and a number of case studies will be included in the last chapter of the paper. Obviously they do not cover all possible questions a controller can face. In this context, the Dutch Data Protection Authority would like to emphasise that most of these practical questions can only be answered in the light of the specific circumstances of a given case; in other words, each situation should be dealt with on its own merits.
This paper will concentrate on Articles 76 to 78 Wbp and will only refer to other articles of this Act when this is necessary for understanding of the text. Needless to say, all other provisions of the Wbp remain applicable. Any transfer to a third country falling under its scope will only be in conformity with it if it complies with all the provisions of the Act relevant to the specific case.
It should be born in mind that, as the Wbp implements the Directive into Dutch law, the text of the Directive sometimes plays an important role in the correct interpretation of the provisions of this Act. This is the reason why this paper will at times refer to the Directive.
A number of documents approved by the so-called Working Party for the Protection of Individuals with regard to the Processing of Personal Data will also be mentioned at certain points, as they offer valuable interpretations of different aspects of the Directive. Practical experience has shown that these documents are often the basis for the discussions on trans-border data flows held in Brussels.
Both the Minister of Justice and the Data Protection Authority play important roles in the context of the granting of permits, which is one of the main issues dealt with in this paper. The Minister is entitled to take the final decision concerning a permit request, taking into account the advice given by the Dutch DPA. The Data Protection Authority has an advisory role to the Minister and is at the same time the supervisory authority for the processing operations in question, not only at the moment that the decision concerning the permit is taken but also subsequently.
The Minister of Justice is obliged to seek the advice of the Dutch DPA before issuing a permit. According to the text of the explanatory memorandum of the Wbp , the advice of the Dutch DPA will play an important role in this context and will contribute to the quality of the decisions concerning permits due to its expertise and experience in this field.
This paper has been drafted by the Dutch Data Protection Authority. However, in order to make the procedure for granting a permit more user-friendly and speedy, the Dutch DPA and the Ministry of Justice have agreed on the main issues covered by this paper. They have come to a common understanding of the subject that should enable them to deal with these cases in a coherent and co-ordinated way.
Table of contents
- 1. Scope of application of the rules and general considerations
- 1.1. Scope of application of the Wbp
- 1.2. What is a transfer of personal data?
- 1.3. To which kind of transfers do these rules apply?
- 1.4. From what date does the Wbp apply?
- 2. The rules of the Wbp on trans-border data flows to third countries: a three-step approach
- 2.1. Is there adequate protection? (article 76)
- 2.1.1. What is adequate protection?
- 2.1.2. Who decides on adequacy on a case-by-case basis?
- 2.1.3. When and how does the European Commission make an adequacy finding?
- 2.1.4. Conclusion
- 2.2. Is it possible to make use of one of the exceptions of article 77.1?
- 2.2.1. Unambiguous consent of the data subject
- 2.2.2. Transfer necessary for the performance of a contract or for pre-contractual measures
- 2.2.3 Transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party
- 2.2.4. Transfer necessary on important public interest grounds or for the establishment, exercise or defence in law of any right
- 2.2.5. Transfer necessary for the protection of the vital interest of the data subject
- 2.2.6. Transfer from a public register or a register that can be generally consulted
- 2.2.7. Conclusion
- 2.3. Is it possible to obtain a permit for the data transfer from the Minister of Justice (article 77.2)?
- 2.3.1. What are “adequate safeguards”?
- 2.3.2. Requirements for contractual solutions
- 2.3.3. Can contractual solutions be used in all cases?
- 2.3.4. Use of the model contracts approved by the European Commission
- 2.3.5. Procedure for the granting of a permit
- 2.3.6. What happens after a decision concerning a permit application has been taken?
- 3. A particularly interesting commission adequacy finding: the Safe Harbour
- 4. Practical case studies
- 4.1. A real case: iBazar-eBay
- 4.1.1. Facts of the case
- 4.1.2. Searching for a solution
- 4.1.3. Conclusion
- 4.2. A transfer from a Dutch controller to a processor in India
- 4.2.1. Facts of the case
- 4.2.2. Searching for a solution
- 4.2.3. Conclusion
- 4.3. A transfer from a Dutch public-sector institution to a public-sector institution in a third country
- 4.3.1. Facts of the case
- 4.3.2. Searching for a solution
- 4.4. A transfer from a Dutch company to an international database
- 4.4.1. Facts of the case
- 4.4.2. Searching for a solution
- 4.4.3. Conclusion
- 4.5. A transfer from a Dutch company to a “less-democratic” third country
- 4.5.1. Facts of the case
- 4.5.2. Searching for a solution
- 4.5.3. Conclusion
- 4.6. A transfer from a Dutch financial institution to several financial institutions outside the european union
- 4.6.1. Facts of the case
- 4.6.2. Searching for a solution
- 4.6.3. Conclusion
- Application form for a permit as defined in article 77.2 wbp (mandatory use)