German data-protection authorities decide on requirement to review Safe Harbor self-certification of U.S. data importers by the exporter

more+
less-

In 2000, the European Union and the U.S. Department of Commerce agreed to the Safe Harbor framework that includes principles governing the protection of personal data transferred to a U.S.-based company that self-certifies compliance to the Safe Harbor Principles. Compliance with the Principles is deemed by the EU to provide an adequate level of protection for the processing of personal data. Transfers of personal data outside the European Economic Area are prohibited unless adequate measures to protect the data are implemented, and the Safe Harbor framework is one method ensuring adequate protection for transfers of personal data from the EU to the United States. The Department of Commerce publishes a list on the Internet of all companies that have self-certified as Safe Harbor, including information on the status of the certification and on the type of personal data covered by the certification.

On 28/29 April 2010, the "Düsseldorfer Kreis," a working group of the German data-protection authorities ("DPAs"), issued a decision stating that data exporters in Germany may not rely solely on the published Safe Harbor list to determine if a data importer complies with the Safe Harbor Principles. Companies seeking to export data must (i) conduct minimum checks before they transfer data to a company listed on the U.S. Department of Commerce Safe Harbor website as certified, and (ii) request verification of compliance with the Safe Harbor Principles. The Düsseldorfer Kreis recommended checking the date of when the U.S. company certified, and further suggested that if the self certification dates back more than seven years, the self certification should be considered invalid. In addition, the Düsseldorfer Kreis demands that the exporter requests from the importer, information and evidence as to how the importer complies with its notice obligations to those individuals whose personal data is to be transferred. This is of particular importance because the German data exporter must convey this information to the data subjects so that they can fully exercise their rights under the German data protection law.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

Written by:

more+
less-

Reed Smith on:

JD Supra Readers' Choice 2016 Awards
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.
×
Loading...
×
×