Analysis

Change of rules for personal data transfer to US:

Actions to be taken

Actions to be taken into consideration following the invalidation of Safe Harbour principles by a decision of European Court of Justice

Pursuant to the decision ruled by the European Court of Justice (the „Court”) in case C-362/14, the Safe Harbour principles have been declared invalid with respect to the transfers of personal data from European Union to the United States of America („USA”). We present below the actions which should be taken into consideration by the data controllers who previously declared to the Data Protection Authority (the “DPA”) transfers based on a Safe Harbour certificate.

Actions to be taken into consideration following the invalidation of Safe Harbour principles by a decision of European Court of Justice

Pursuant to the decision ruled by the European Court of Justice (the „Court”) in case C-362/14, the Safe Harbour principles have been declared invalid with respect to the transfers of personal data from European Union to the United States of America („USA”). We present below the actions which should be taken into consideration by the data controllers who previously declared to the Data Protection Authority (the “DPA”) transfers based on a Safe Harbour certificate.

Impact of the decision

The actions presented below regard the following situations:

  • Safe Harbour certified data controllers
  • Data controllers who contract with third parties that are safe Harbour certified

Following the decision ruled by the Court, the DPA will no longer register in the evidence registry of the personal data processing the transfer of personal data to entities in USA based on Safe Harbour principles.

Also, the data controllers who already submitted notifications in the evidence registry of personal data processing may continue to perform transfer to USA only with the observance of the conditions specified below.

Options available

Personal data transfers to USA may be performed only based on the guarantees of transfer provided by the legislation in force, respectively:

  • Standard contractual clauses approved by the European Commission and recognized by the DPA, or
  • Binging corporate rules– “BCR”, or
  • The guarantees provided by art. 30 of Law no. 677/2001, which provide the situations in which the transfer is always permitted, such as: (a) consent of the data subject, (b) necessity to conclude a contract between the data subject and the data controller or for the execution of pre-contractual measures disposed upon the request of the envisaged subject, (c) necessity to protect life, physical integrity or health of the data subject.

With respect to the situation of contracting with third parties that are Safe Harbour certified, the Romanian data controllers must consider the potential liability towards the data subjects, as well as the liability based on the provisions of Law no. 677/2001 in connection with the possible transfer of data to USA based on Safe Harbour principles.
In addition to this, failure to comply with the above mentioned requirements may be subject to administrative fines up to 50.000 lei. Furthermore, if the DPA finds that the third country destination of data is not satisfactory, it can also impose the prohibition of data transfer.

To the extent you need assistance with respect to updating the mechanisms implemented for protecting the transfer of personal data to USA, please let us know. Also, with respect to potential personal data transfers to USA following the execution of contracts with third parties that are Safe Harbour certified, we may assist with updating and amending these contracts pursuant to the decision of the Court.

Further information: