Principles of the transfer of personal data to  third countries

Introduction

The continuous globalisation of the world economy influences the international transfer of personal data. The transfer of personal data to third countries, i.e. not being members of the European Economic Area, and especially those which do not ensure within their territories adequate level of personal data protection, results in high risk of breaching the rights and freedoms of the data subjects. Therefore the Act of August 29, 1997 on the Protection of Personal Data (Journal of Laws of 2015 item 2135) imposes specific requirements on the transfer of personal data to third countries. They are specified in Chapter 7 of the Act on the Personal Data Protection entitled: “Transfer of Personal Data to a Third Country” (Articles 47 and 48). It needs to be underlined that the abovementioned provisions implemented relevant provisions of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard of the processing of personal data and on the free movement of such data, hereinafter referred to as the Directive. This is way, they are of importance for the interpretation of Polish personal data protection provisions.  

What principles form the basis for personal data transfer to European Economic Area Member States?  

The Data Protection Act does not contain any explicit provisions which would separately  regulate the transfer of personal data to the European Economic Area (EEA) Member States, hereinafter referred to as the “EEA Member States”. It needs to be underlined that, according to the legal definition given in Article 7 point 7 of the Act, a third country shall mean a country which does not belong to the European Economic Area. Simultaneously, the legislator have introduced additional requirements only with relation to personal data transfer to third countries. It means that the transfer of personal data within borders of the European Union shall be treated as the transfer inside the territory of the Republic of Poland. This principle applies to all the Member States of the European Union and those Member States of the European Economic Area which are not the European Union Members (presently: Norway, Iceland and Liechtenstein).

The free flow of personal data within the European Union and further within the European Economic Area is the necessary condition of the Polish membership in the European Union. The EU Member States have implemented the provisions of the Directive 95/46/EC into their legal orders. Two main goals of the Directive are to ensure:

• adequately high level of personal data protection,
• free flow of personal data within the territory of the European Union.

As a result of approach followed by the legislator the transfer of personal data to the EEA Member States is conducted in accordance with general principles of data processing, outlined in  the Act on Personal Data Protection, with the exception of Chapter 7. Such data controller as well as the controller processing personal data only in the territory of Poland is obliged, among others, to fulfil one of the prerequisites for data processing, as well as obey the principles of purpose limitation and data quality and to secure the data being processed.

Are there any additional requirements that need to be met in order to transfer personal data to a third country?

Yes. As opposed to the data transfer to the EEA Member States, apart from the general provisions outlined in the Act on Personal Data Protection, the obligations imposed by the provisions of Chapter 7 of  the Act also need to be fulfilled in case of transfer of personal data to a third country.

On what grounds can personal data be transferred to third countries?

On the grounds of the Article 47 of the Act on the Protection of Personal Data, the transfer of data to a third country may take place only if the country of destination ensures adequate  level of protection of the personal data.

It has to be stated, that abovementioned provision mirrors art. 25 1) of the Directive, according to which the Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of the Directive, the third country in question ensures the adequate level of data protection.

Basically, in the context of the provisions of the Act on the Protection of Personal Data and of the European law the transfer of personal data to a third country may take place only if the country of destination ensures adequate level of personal data protection.

In what circumstances does a third country ensure the adequate level

of personal data protection?

In line with art. 47 1a of the Act on the Protection of Personal Data The adequacy of the level of personal data protection shall be evaluated taking into account all the circumstances concerning a data transfer operation, in particular the nature of the data, the purpose and duration of the proposed data processing operations, the country of origin and the country of final destination of the data as well as the legal provisions being in force in a given third country and the security measures and professional rules applied in this country. It is also worth noting, that according to art. 25 2) of the Directive the adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

An attempt to establish the methodology of investigating the level of data protection in a third country was taken by the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established on the grounds of Article 29 of the Directive 95/46EC, hereinafter referred to as the Article 29 Working Party.

The Article 29 Working Party in its working paper of July 24, 1998 No WP 12 on the Transfers of Personal Data to Third Countries; Applying Articles 25 and 26 of the Data Protection Directive underlined that the adequate level of data protection shall consist of two elements: the rules concerning the processing of personal data and the means to ensure the effective application of the data protection provisions. The basic rules of data processing, which shall be ensured in a third country, comprise:

the purpose limitation principle -  the data shall be processed for a specific purpose; further processing of the data may only take place if it is not contrary to the original purpose of data processing.

data quality and proportionality principle – the data shall be specific and when necessary, kept up to date. Data shall be adequate in relation to the purpose for which they were collected.

the transparency principle – the data subject shall be provided with the information concerning the purpose of the processing of personal data and of the data controller in the third country.

the security principle – technical and organisational security measures should be taken by the data controller that are appropriate to the risks presented by the processing

the rights of access, rectification and opposition – the data subject shall have the right of access to the information concerning him or her, the right to rectify the data and under certain circumstances the right to object to the processing of personal data.

restrictions on onward transfers – further transfers of the personal data by the recipient of the original data transfer should be permitted only where the second recipient (i.e. the recipient of the onward transfer) is also subject to rules affording an adequate level of protection.

Due to the significant diversity of the national data protection systems, the Article 29 Working Party pointed out three features which the data protection systems should ensure as regards measures concerning data protection. First of all, the system shall deliver a good level of compliance with the data protection rules (it should be effective and ensure a high degree of awareness among data controllers of their obligations). The system should also enable data subjects to exercise their rights, which means the necessity of existence of institutional mechanism allowing independent investigation of complaints. The system should also provide for proper redress  mechanism in case of breach of personal data processing rules.

The full text of the working document (translated, among others into English, French and German) is available on the website:

http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/1998/wp12_en.pdf  

On the basis of Article 25 6) of the Directive 95/46/EC, the European Commission may find that a third country ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations with the European Commission for the protection of the private lives and basic freedoms and rights of individuals. Up to now, the Commission has issued several decisions of various nature and extent. In addition, separately adopted legal measures concerning personal data transfer to third countries in the area of police and judicial cooperation in criminal matters should be brought up. Following countries have been subject to adequacy decisions:

Andorra

010/625/EU: Commission Decision of 19 October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra, is available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32010D0625

Argentina

2003/490/EC: Commission Decision of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina is available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415636698083&uri=CELEX:32003D0490

Australia

Council Decision 2008/651/CFSP/JHA of 30 June 2008 on the signing, on behalf of the European Union, of an Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian Customs Service Agreement between the European Union and Australia on the processing and transfer of European Union-sourced passenger name record (PNR) data by air carriers to the Australian customs service, available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1416844664688&uri=OJ:JOL_2008_213_R_0047_01

Guernsey

2003/821/EC: Commission Decision of 21 November 2003 on the adequate protection of personal data in Guernsey,available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415701941268&uri=CELEX:32003D0821

State of Israel

2011/61/EU: Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data, available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415701992276&uri=CELEX:32011D0061

Jersey

2008/393/EC: Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey, available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415703064772&uri=CELEX:32008D0393

Canada

2002/2/EC: Commission Decision of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act, available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32002D0002&qid=1415699250815

New Zealand

2013/65/EU: Commission Implementing Decision of 19 December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415703506367&uri=CELEX:32013D0065

United States of America

Council Decision 2007/551/CFSP/JHA of 23 July 2007 on the signing, on behalf of the European Union, of an Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1416845561356&uri=OJ:JOL_2007_204_R_0016_01

Agreement between the European Union and the United States of America on the processing and transfer of Passenger Name Record (PNR) data by air carriers to the United States Department of Homeland Security (DHS) (2007 PNR Agreement), available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1416845561356&uri=OJ:JOL_2007_204_R_0016_01

Abovementioned legal acts concern exclusively the transfer of personal data of flight passengers to the United States by flight carriers and do not form a legal basis to deem USA personal data protection system as ensuring adequate level of personal data protection.

On October the 6^th the Court of Justice of the European Union issued crucial judgement in case Maximilian Schrems vs Data Protection Commisionner (C-362/14), by which it invalided the European Commission Decision of 26^th July 2000 on the adequacy of the protection provided by the safe harbour privacy principles in the USA. From now on, this decision cannot form a legal basis to deem USA personal data protection system as guarantying at least the same level of personal data protection as one in force in the Republic of Poland.

Detailed GIODO explanations on aforementioned judgment are available on the following website:

http://www.giodo.gov.pl/560/id_art/8951/j/pl

Switzerland

2000/518/EC: Commission Decision of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415700329280&uri=CELEX:32000D0518

Isle of Man

2004/411/EC: Commission Decision of 28 April 2004 on the adequate protection of personal data in the Isle of Man available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415702956426&uri=CELEX:32004D0411

Faeroe Islands

2010/146/: Commission Decision of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data, available in electronic form on the following website:

http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1415701435417&uri=CELEX:32010D0146

An assessment whether third country ensures adequate level of protection is to a data controller,  who has to assess whether perquisites named in art. 47 1) have been met. The Inspector General does not issue any certificates in this regard. It has to be noted, that in case of doubts concerning adequacy of level of protection, data controller that intents to transfer data to a third country shall meet one of the prerequisites established in art. 47 2) and 3) or art. 48 of the Data Protection Act.

Does the Data Protection Act allow for personal data transfer to a third country, which does not ensure adequate personal data protection?

Yes. The transfer of personal data to a third country which do not ensure adequate level of personal data protection is possible, yet this comes under condition, namely one of the prerequisites established in art. 47 2) or 3) has to be fulfilled.

First of all, it has to be explained that personal data transfer to a third country, which do not ensure adequate level of personal data protection is permissible if transfer of personal data derives from an obligation imposed on the data controller by legal provisions or by the provisions of any ratified international agreement which guarantee adequate level of data protection (art. 47 2)). It has to be highlighted, that aforementioned rule extents only to law provisions applying on the territory of the Republic of Poland or ratified international agreements. Moreover, textual interpretation of art. 47 2) indicates the necessity of existence of explicate obligation to transfer personal data.    

Art. 47 3) of the Act, contains prerequisites authorising personal data transfer to a third country, which do not ensure adequate personal data protection. Namely data controller can transfer personal data to a third country if:

1. the data subject has given his/her written consent,

Abovementioned prerequisite should be strictly interpreted in the light of art. 7 5) wording. According to which data subject consent shall mean a declaration of will by which the data subject signifies his/her agreement to personal data relating to him/her being processed; the consent cannot be alleged or presumed on the basis of the declaration of will of other content. As a consequence, a person giving such a will declaration should be aware of the lack of adequate level of data protection in a third country, to which data are to be transferred.

1. the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject's request,

Within this prerequisite two types of situations can be isolated, in which data transfer is permissible. First of them applies in case of performance of an agreement between data controller and data subject, while the second concerns a case where data transfer takes place in response to the data subject's request. Simultaneously, it shall be deemed that hypothesis of the aforementioned norm embraces actions related to performance of the agreement as well as actions taken before the agreement is entered into – taking place in response to the data subject's request. It has to be stressed, that personal data can be transferred if they are necessary for obtaining the purpose. Therefore the usefulness of data alone does not constitute sufficient condition for data transfer.

1. the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and another subject,

It is important that the agreement between data controller and other entity is concluded in the interests of a data subject. An example of which can be a reinsurance agreement.

1.  the transfer is necessary or required by reasons of public interests or for the establishment of legal claims,

Looking on possibility of personal data transfer to third country, when it is necessary by reasons of public interests, it should be noted that in line with recital 58 of the preamble of Directive 95/46/EC data transfer is permissible where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters. Thus, this provision should be narrowly interpreted.

1. the transfer is necessary in order to protect the vital interests of the data subject,

The vital interests of a data subject shall be understood as interests necessary for a data subject to live. This is way, as a rule, economic interests remains outside this notion.

1. the transfer relates to data which are publicly available.

It has to be stressed that this prerequisite excludes a situation where data have become publicly available as a result of breach of a law.

In which cases the Inspector General for Personal Data Protection may allow the transfer of personal data to a third country?

If one of the prerequisites of art. 47 2) or 3) of the act has not been fulfilled and a third country does not ensure an adequate level of personal data protection in its territory, the transfer of personal data may take place subject to a prior consent of the Inspector General, provided that the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject (Art. 48 of the Act).

It needs to be underlined that the transfer of the personal data to a third country which does not ensure an adequate level of personal data protection may begin only after issuing the decision by the Inspector General. This decision does not legitimise the earlier transfer of personal data.

The Inspector General, while considering an application for consent to personal data transfer shall assess whether the data controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject. Such evaluation is made with the use of the same prerequisites as the ones used for the general assessment of the data protection level ensured in a third country. Every application shall be nevertheless evaluated on a case-by-case basis, having regard to all circumstances.

The data controller may ensure an adequate level of protection of personal data which are the subject to the transfer, especially by accepting the relevant contractual obligations.

When obtaining of the Inspector General for Personal Data Protection consent is not required?

In line with Art. 48 2) of the Act the consent of the Inspector General is not required, if the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject, by means of:

1. standard contractual clauses on personal data protection, approved by the European Commission in accordance with Art. 26 4) of the Directive 95/46/EC;
2. Binding Corporate Rules, which have been approved by the Inspector General

Can the controller of personal data use standard contractual clauses?

Yes. Acting on the basis of art. 26 4) of the Directive the Commission is entitled to deem in a form of the decision that certain standard contractual clauses offer sufficient safeguards as regards personal data protection as well as rights and freedoms of individuals. Those decisions require Member States to comply with safeguards established in the standard contractual clauses deemed in the Commission decisions as ensuring adequate level of data protection. This does not exclude an obligation imposed on the Member States to comply with other requirements laid down in national law. So far, the European Commission has issued three such decisions.

Application by data controller of standard contractual clauses pursuant to art. 48 2) point 1 of the Act, constitutes sufficient guaranty for personal data transfer to third country and do not require consent or approval of the Inspector General.

In order to be allowed to use the clauses, they cannot be modified in significant manner.

2001/497/EC: Commission Decision on standard contractual clauses for the transfer of personal data to third countries (OJ L 181, 4.7.2001, p. 19–31), under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted on 15^th June 2001. Standard contractual clauses introduced by this decision are applied to personal data transfer to the data controller established in a third country.

The wording in multilingual versions is available on the following website: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32001D0497.

2004/915/EC: Commission Decision amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (OJ L 385, 29.12.2004, p. 74–84)under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted on 27^th December 2004. This decision introduced alternative set of standard contractual clauses, that can be applied by the data controller in case of a transfer to other data controller established in a third country. It results from the above, that the data controller can choose one out of two sets of standard contractual clauses.

The wording in multilingual versions is available on the following website: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1401799828216&uri=CELEX:32004D0915.

2010/87/: Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries (OJ L 39,  12.2.2010, p. 5—18) under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data was adopted on 5^th February 2010. Standard contractual clauses introduced by this decision are applied to personal data transfer in case of subcontracting of personal data processing operations in the meaning of art. 31 of the Act.

The wording in multilingual versions is available on the following website: http://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1401799946706&uri=CELEX:32010D0087

Aforementioned decision has repelled the 2002/16/EC Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third Countries (OJ L 6/52 of 10.1.2002), under Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which was adopted on 27^th December 2001.

The wording in multilingual versions is available on the following website: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2002:006:0052:0062:en:PDF

Attention: Decision 2010/87/EU applies do clauses entered into after 15^th May 2010. All clauses entered into between data exporter and data importer on the basis of Decision 2002/16/EC before this date however, remains binding as long as data processing and transfer operations, subject to agreement, remain unchanged and the personal data contained in the agreement are still being transferred among the parties. If agreeing parties decide to introduce changes in this regard or to subcontract data processing operations, subject to the agreement, adoption of a new agreement in line with standard contractual clauses laid down in Appendix to the Commission Decision 2010/87/EU is required.

The Article 29 Working Party adopted on 12 July 2010 a document WP176 in which it explained some doubts regarding application of Commission Decision 2010/87/EU.

The wording in several versions, including English one, is available on the following website: http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm.

In what form can standard contractual clauses be used?

It has to be stressed, that standard contractual clauses can form part of a broader agreement entered into between data controller and data recipient in a third country. They can be also introduced in a form of Appendix to such agreement. Drafting of a separate document is another possibility.

Can the data controller use Binding Corporate Rules?

Yes. Binding Corporate Rules are a separate guaranty of personal data transfer to a third country, which have been approved by the Inspector General. Binding Corporate Rules are separate instrument which can play special role in case of personal data transfer within international corporations. It is an  instrument which can ensure a larger margin of flexibility on the one hand and guarantee high and uniform level of personal data protection within the corporation on the other, irrespective of the level of personal data protection within the territory of respective countries.

Do the Binding Corporate Rules have to be approved by the Inspector General for Personal Data Protection?

Yes. According to art. 48 3) of the Act, the Inspector General shall, by way of an administrative decision, approve the binding corporate rules adopted within a group of entrepreneurs for the purposes of the transfer of personal data by the controller or the entity referred to in Art. 31 1) to another controller or entity referred to in Art. 31 1) within the same group in a third country.

Binding corporate rules have to be submitted to the Inspector General in Polish language version or alternatively in bilingual version (including Polish one). In line with art. 4-5 of the Act of 7^th October 1999 on the Polish language, the Polish language is official one of national authorities, which take all their formal actions as well as give declarations of will in Polish language, unless stated otherwise.

On June 3, 2003 the Article 29 Working Party issued working paper WP 74 on “Transfers of personal data to third countries: Applying Article 26 (2) of the EU Data Protection Directive to Binding Corporate Rules for International Data Transfers”.

The text of the working paper is available (in English, French and German language versions) on the following website:

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm. 

The Article 29 Working Party while performing the analysis of the motion of corporate rules pointed out that these rules are:

1. binding or legally enforceable because only with such a character may any clauses be regarded as "sufficient safeguards" within the meaning of Article 26 (2);
2. corporate in the sense that they consist of the rules in place in multinational companies, usually set up under the responsibility of the headquarters;
3. for international data transfers as the main reason for their existence.

Article 29 Working Party adopted in its Working document (WP108) of 14^th April 2005,  model checklist with all necessary elements, that have to be contained in Binding Corporate Rules.

Bargaining for, that Binding Corporate Rules are indented to be of a general application, the European personal data protection authorities adopted cooperation procedure, aimed at common handling of consent for personal data transfer applications, on the basis of Binding Corporate Rules (Working document WP107 adopted on14 April 2005).

Both Working documents are available in English, French and German in electronic form on the following website:

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm

The Recommendation 1/2012 on the Standard Application form for Approval of Binding Corporate Rules for the Transfer of Personal Data for Processing Activities (WP133), available in English on http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm shall also be noted.

Art. 29 Working Group has also adopted working document on Frequently Asked Questions (FAQs) related to Binding Corporate Rule (WP 155 rev.4), available on the following website:

http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/index_en.htm

What does mutual recognition of Binding Corporate Rules mean?

Having in mind speeding up of EU cooperation procedure as regards review of BCR by personal data protection authorities, mutual recognition procedure has been agreed. In line with art. 48 4) of the Act, before approval of the binding corporate rules the Inspector General may consult competent data protection authorities from countries being members of the European Economic Area, on the territories of which the entrepreneurs belonging to the group have their seats, by providing them with necessary information for this purpose. While issuing this decision  the Inspector General shall take into account the consultations and in case where the binding corporate rules have been subject of the decision of a data protection authority from another country being a member of the European Economic Area it can deem such
a decision.

In the course of this procedure, if leading authority deem that BCR meets the requirements laid down in working documents, data protection authorities in the framework of mutual recognition procedure accept such an opinion as sufficient legal basis for issuing of their own national permission with regard to BCR or for issuing a positive opinion for an authority which issues such a permission. In BCR assessment leading authority is assisted by two other personal data protection authorities that are selected to participate.

Declaration of mutual recognition is available on the following websites:

English version: www.giodo.gov.pl/plik/id_p/6781/j/pl/

Unofficial Polish translation: www.giodo.gov.pl/plik/id_p/6780/j/pl/

What information need to be included in an application for consent for the transfer of personal data to a third country?

If in the applicant’s opinion, it is necessary for the Inspector General to express the consent to the transfer of personal data to a third country, the abovementioned applicant shall submit the evidence allowing to confirm that the suggested safeguards with respect to the protection of the rights and freedoms of data subject, and in particular the right to privacy are adequate. Therefore the Inspector General requires the applicants to specify:

1. the parties of such transfer,
2. categories of personal data,
3. extent of data to be transferred,
4. purpose and estimated time of the transfer operations,
5. safeguards undertaken by the parties that intend to transfer personal data, in order to protect rights of the data subjects, including for instance: presentation of the content of the contract or other legal instrument constituting the ground for personal data transfer,
6. organisational and technical meaasures implemented by the recipient of personal data to protect the data transferred (precise description).

What information should an application for approval of  Binding Corporate Rules contain?

In case of application of approval of Binding Corporate Rules, an applicant should enclose following documents:

1. Binding Corporate Rules;
2. The decision of leading personal data authority from other member state of the European Union, which approved Binding Corporate rules in the course of the mutual recognition procedure (if any);
3. Filled-in application for approval of Binding Corporate Rules, drafted by the Article 29 Working Party (WP133).

In the course of the proceeding the Inspector General is empowered to request the applicant to submit additional explanations or documents.

Each application needs to fulfil the requirements laid down in the Act of 14 July 1960 - Code of Administrative Proceedings (Journal of Laws of 2013 item 267 with amendments).

Required elements of each written application submitted to the Inspector General are:

• information identifying the applicant, such as: name and surname/full name of the entity as well as address of establishment/ address of residence,
• handwritten signature of the applicant,
• valid extract from the National Court Register or other register, or certificate or information from a record relevant to the legal form of the applicant;
• payment slip for stamp duty.

ATTENTION If the applicant acts on behalf of other person or entity (as their representative), it is also obliged to:

• attach to the application an original or certified copy of a power of attorney to act in proceedings before the Inspector General for Personal Data Protection on behalf of an entity.

ATTENTION According to the Act of 7 October 1999 (Journal of Laws No. 90, item 999 with amendments), the application and the documents attached thereto shall be in Polish language version.

The written application may be submitted:

• by post to the Bureau of the Inspector General for Personal Data Protection (at the following address: Biuro Generalnego Inspektora Ochrony Danych Osobowych, ul. Stawki 2, 00 - 193 Warszawa),
• in person, at the Bureau of the Inspector General for Personal Data Protection address as above).
• by electronic means, using the electronic inbox available on the website of the Inspector General for Personal Data Protection, (www.giodo.gov.pl, in the “Electronic Inbox” tab).

ATTENTION! Applications submitted by electronic means need to include a safe electronic signature verified by a valid qualified certificate complying with the norms specified in the provisions on electronic signature.

An obligation to pay stamp duty arises in case of:

• submitting an application to the Inspector General for Personal Data Protection (regardless of the form of submission),
• submitting a power of attorney/proxy in the proceedings before the Inspector General for Personal Data Protection (both in case of the original document and its copy or excerpt).

The stamp duty rate amounts to:

• PLN 10.00- in case of application for consent to data transfer to a third country,
• PLN 17.00- in case of a power of attorney.

Stamp duty is to be paid at the cash-desk or by bank transfer to: Dzielnica Śródmieście m. st. Warszawy, ul. Nowogrodzka 43, 00 – 691 Warszawa,

Account no: 60 1030 1508 0000 0005 5001 0038.

The persons making money transfers from abroad should use the following bank account number:

DZIELNICA SRODMIESCIE
m. st. Warszawy
ul. Nowogrodzka 43
00 – 691 Warszawa
SWIFT CODE: CITIPLPX
IBAN: IBAN (space) PL60 1030 1508 0000 0005 5001 0038

Transfer title should include (apart from content) the expression stamp duty for... and the acronym, GIODO. Payment slip should be sent to the Bureau of the Inspector General for Personal Data Protection.