English
NederlandsInternational transfer of personal data
Multinationals routinely transfer the personal data of their employees between group companies in different countries. However, strict conditions apply to the international transfer of personal data to individuals or organizations outside the EU. There are also many differences in privacy rules around the world, and even within Europe. Multinationals may find that having binding corporate rules simplifies matters.
What constitutes the international transfer of personal data?
The international transfer of personal data is the disclosure of personal data to a person outside EU jurisdiction[1]. Some examples of this kind of disclosure are when:
- a company within the EU sends an e-mail with personal data to another company outside the EU, possibly for marketing purposes;
- a company outside the EU merges with or acquires a company within the EU.
What rules govern the international transfer of personal data?
The international transfer of personal data within the EU is subject to the normal requirements of the Personal Data Protection Act (Wbp). The EU Data Protection Directive[2] has been implemented by all EU member states in national legislation, which in the Netherlands is the Personal Data Protection Act (Wbp). In theory, then, all EU member states provide equivalent protection. Personal data may therefore be transferred within the stated limits.
More stringent conditions prohibit the international transfer of personal data outside the EU (or more accurately outside the EEA, which is the EU plus Norway, Iceland and Liechtenstein) unless:
- the country or territory concerned ensures ‘an adequate level of protection’[3] e.g. Argentina, Canada (partly), Guernsey, the Isle of Man, the USA (subject to Safe Harbor Certification) and Switzerland; or
- in cases covered by exemptions[4], such as with the unequivocal consent of the employee involved for the necessary transfer of personal data in connection with concluding or performing an employment contract (N.B the hierarchical employer-employee relationship means that an employee’s ‘unequivocal’ consent will not normally be assumed without question); or
- with permission from the Ministry of Justice[5]: an application may be made through the Dutch Data Protection Authority (CBP). Permission may then be obtained fairly rapidly based on model contractual clauses.
What are binding corporate rules?
Binding corporate rules (BCR) are internal binding codes of corporate conduct, which multinationals themselves may define, for the international transfer of personal data within the group to companies inside and outside the EU. An ‘adequate level of protection’ is then effectively created within the group.
The minimum requirements for BCR[6] are:
- privacy rules: a privacy policy (which data may be processed, for which purposes, who has access to data, how long are data retained and secured, and what rights do employees have regarding access and correction) must be defined and implemented;
- appropriate training: employees who process the data must have received appropriate training in applying the privacy rules;
- audits: there must be audits to monitor compliance with the privacy rules;
- reporting: there must be reporting on compliance with the privacy rules to the company board and, on request, to the CBP;
- complaint handling: there must be a system for handling employees’ complaints about noncompliance with the privacy rules.
BCRs are valid only with the approval of the data protection supervisor of the EU member state where the company is based. In the Netherlands, therefore, approval must be obtained from the CBP. In order to avoid duplication of effort, agreements have been made by which the approval of only 3 EU member states is sufficient in some cases. If the EU member states approve the BCR, the approval applies in 19 of the 27 EU member states, since the 19 member states have agreed to recognize each other’s approvals.[7]
What are the benefits of BCR?
BCRs allow multinationals to harmonize their privacy policies with the EU Data Protection Directive within the group. Doing so will benefit the internal and external communication of the privacy policy. The risks attached to the international transfer of personal data to countries outside the EU will then be reduced considerably.
Rachid Aolad-Si M’hammad
Attorney at law, employment law
rachid.aoladsi@vmwtaxand.nl
There is additional information on privacy and how our various practice groups can be of assistance to you here.
[1] See ‘Tekst en Toelichting Wet Bescherming Persoonsgegevens (Text and Explanation of the Personal Data Protection Act)’, SDU Uitgevers, under item 76 Wbp.
[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[3] See Article 76 paragraph 1 of the Wbp. There is additional information about the Safe Harbor Principles on www.export.gov/safeharbor.
[4] See Article 77 paragraph 1 of the Wbp.
[5] See Article 77 paragraph 2 of the Wbp. The handling of an application can be expedited by using European Commission approved model contractual clauses.
[6] Recommendation Art. 29 WP 74 ‘Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers’. Adopted on 3 June 2003.
[7] Article 29 Data Protection Working Party WP107 ‘Working Document Setting Forth a Co-Operation Procedure for Issuing Common Opinions on Adequate Safeguards Resulting From “Binding Corporate Rules”‘, 14 April 2005. The 19 countries are Belgium, Bulgaria, Cyprus, France, Germany, Ireland, Iceland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Austria, Slovenia, Spain, the Czech Republic and the United Kingdom. See also the article ‘Van papieren tijger naar praktische toepassing (From paper tiger to practical application)’ by L. Moerel, Automatisering Gids, 23 September 2011.