Trilantic - document solutions for legal professionals

What Needs to be Done Prior to Shipping

Transfer of Data to Countries Outside the European Union

Article 76

1. Personal data which is subject to processing or intended for processing after it has been transferred, shall only be transferred to a country outside the European Union in the case that, without prejudice to compliance with the provisions of this Act, that country guarantees an adequate level of protection.

2. An assessment of the adequacy of the level of protection shall take account of the circumstances affecting a data transfer operation or a category of data transfer operations.

Account shall be taken in particular of the type of data, the purpose or purposes and the duration of the planned processing or processing operations, the country of origin and country of final destination, the general and sectoral legal provisions applying in the non-member country concerned, as well as the rules governing the business sector and security rules applying in these countries.

Article 77

1. Notwithstanding Article 76, an operation or category of operations to transfer personal data to a non-member country which does not provide guarantees for an adequate level of protection may take place, provided that:

a. the data subjects have unambiguously given their consent thereto,

b. the transfer is necessary for the performance of a contract between the data subjects and the responsible parties, or for actions to be carried out at the request of the data subjects and which are necessary for the conclusion of a contract;

c. the transfer is necessary for the conclusion or performance of a contract concluded or to be concluded between responsible parties and third parties in the interests of data subjects;

d. the transfer is necessary on account of an important public interest, or for the establishment, exercise or defence in law of any right;

e. the transfer is necessary to protect a vital interest of data subjects, or

f. the transfer is carried out from a public register set up by law or from a register which can be consulted by anyone or by any persons who can invoke a legitimate interest, provided that in the case concerned the legal requirements for consultation are met.

2. Notwithstanding the provisions under (1), Our Minister, after consulting the Data Protection Commission, may issue a permit for a personal data transfer or category of transfers to a nonmember country that does not provide guarantees for an adequate level of protection. Attaching to this permit are the more detailed rules required to protect the individual privacy and fundamental rights and freedoms of persons and to guarantee implementation of the associated rights.

Article 78

1. Our Minister shall notify the Commission of the European Communities of:

a. the cases in which, in his or her opinion, a non-member country does not provide guarantees for an adequate level of protection within the meaning of Article 76(l), and

b. a permit, as referred to in Article 77(2).

2. Where this follows from a decision of the Commission of the European Communities or the Council of the European Union, Our Minister shall lay down by ministerial ruling or by decision that: the transfer to a country outside the European Union is prohibited;

a country outside the Union is considered to guarantee an adequate level of protection, or a permit issued under Article 77(2) is withdrawn or modified.

3. The notifications referred to under (1) (a) and (b) shall be published in the Official Gazette.

Please see the Dutch Data Protection Authority website for further details on the statute