Guide on international data transfers
By Mariano Peruzzotti, Santiago Durañona and Antonella Balbo.
Guide on international data transfers
On November 11, 2021, the Ibero-American Data Protection Network (“Network”) released a draft Guide for the implementation of standard contractual clauses that can be used to validate international data transfers (“Guide”). The Network had expected to gather the views and concerns of all interested stakeholders and citizens until November 23, 2021. In this article, we comment on the most relevant aspects of the Guide.
- The Network
The Network constitutes an association of Spanish speaking countries in North, Central and South America, Brazil, Spain and Portugal. It is represented by relevant authorities and experts in the field and one of its goal is to develop initiatives and projects related to the protection of personal data in Ibero-America. The Agency for the Access to Public Information, Argentina’s data protection authority (“Agency”), is an active member of the Network together with other Ibero-America enforcement authorities.
2. International data transfers
In most personal data protection legislations, international data transfers to countries that do not provide for adequate data protection legislation are permitted only to the extent that certain safeguards are adopted, such as the use of standard contractual clauses (“SCCs”).
The European Union has adopted new SCCs on June 4, 2021, published by the European Commission. Said clauses replace the previous standard contractual clauses adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC, to adapt to the provisions of the EU General Data Protection Regulation commonly known as GDPR as well as the EU Court of Justice’s rulings.
In Argentina, the Agency’s Rule No. 60-E/2016 approved two set of SCCs that can be used in cases of international data transfers (controller to controller and controller to processor transfers).
On the same line, the Regulatory and Control Unit for Personal Data in Uruguay has recently issued Resolution No. 41/2021 which includes a guide with the minimum content that international data transfer contracts must contain.
Notwithstanding the above-mentioned cases, there are no SCCs jointly agreed in Latin America.
3. The Guide
The Guide aims to set out the main aspects to be considered when international transfers of personal data are validated by means of SCCs.
The Guide lists a number of recommendations and guidelines on the practical implementation of SCCs. It also proposes two set of SCCs: one for transfers between controllers and the other for controllers to processors transfers. These two sets are considered to be a preliminary step as the Network expects to create several other templates addressing other situations in the future.
The Guide does not replace either local legislation or the provisions approved by the relevant data protection authorities of the region. Indeed, the application of this Guide and the use of the SCCs shall follow the recommendations, provisions and regulations of the local data protection authorities and by all means go in hand with local legislation.
Parties may freely use the proposed SCCs in a broader contract or include other contractual clauses or guarantees provided that they do not directly or indirectly contravene, alter or modify, the SCCs or affect the data subjects’ fundamental rights.
The Network’s Personal Data Protection Standards for Ibero-American States passed on in Santiago, Chile, in 2017, were taken as a reference for the drafting of both the Guide and the SCCs.
The text of the Guide and the SCCs can be consulted at the following link.
For further information contact: mperuzzotti@ojambf.com.
