Skip to main content

GDPR: a new hope for the use of BCRs for cloud providers in Portugal

|
Ricardo Henriques (PT), Partner of EuroCloud CPC Network

The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved. However, unless we have some clarification from CNPD until then, we will have to wait for May 2018 to actually put this to test.

The General Data Protection Regulation recognises and preserves the existing transfer mechanisms under the Data Protection Directive for transfers of personal data to third countries which do not provide an adequate level of data protection.

Controllers and processors may transfer personal data outside the European Union (“EU”) / European Economic Area (“EEA”) if they have adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Those safeguards are intended to ensure that, post-transfer, the data is processed in compliance with data protection requirements of European standard and data subjects have the same rights as they have in the EU.

Currently, Portuguese Data Protection Law which implemented the Directive, requires that a transfer to third countries outside the EU/EEA must be previously authorised. Whilst EU Model Clauses have been admitted as providing appropriate safeguards, Binding Corporate Rules (“BCR”), as company-specific, group-wide data protection policies, have never been considered as admissible.

All transfers of data to entities located outside the EU/EEA on the grounds of EU Model Clauses have been categorized as “provisional” by the Portuguese Data Protection Authority (“CNPD”) after the decision of the CJEU which invalidated Safe Harbor. On the 22nd of October 2015, the CNPD (following the opinion of the Article 29 WP) decided to revoke all existing authorizations of international transfers based on Safe Harbor and issue only provisional authorizations for the transfers of personal data through alternative mechanisms such as EU Model Clauses until the impact of the CJEU decision on EU Model Clauses is fully assessed as to their sufficiency of guaranteeing an adequate level of data protection.

The position of the CNPD on BCR’s has been not to admit its use based on the fact that according to Portuguese law, they are “unilateral self-binding declarations” and that “declarations of this kind cannot constitute a source of obligations under Portuguese law”. Also, Portugal is not yet part of the mutual recognition process which would allow recognizing another DPA’s decision of adequacy of the BCRs (http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutual_recognition/index_en.htm). Therefore, the implementation of the BCR’s in Portugal currently still requires a binding contract (bilateral or multilateral agreement) to be signed by all parties involved in the Data Transfers and respective authorization filings with the Portuguese Data Protection Authority.

The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved. However, unless we have some clarification from CNPD until then, we will have to wait for May 2018 to actually put this to test.

 

Article provided by: Ricardo Henriques, Abreu Advogados, Portugal

External links:

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

VIEW STREAM

About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.

{$page.footerData}