On 16 July 2020, the Court of Justice of the European Union (“CJEU” or “Court”) in its ruling “Data Protection Commissioner v Facebook Ireland Limited, Maximilian Schrems C-311/18”, invalidated Decision no. 2016/1250 and the Agreement between the European Union and the United States of America on the protection and regulation of the European citizens’ personal data transfer to recipients located in the United States (“Privacy Shield”).

The European Data Protection Board or “EDPB”) has prepared “Frequently Asked Questions” (“FAQ“) which the Italian Data Protection Authority (“Garante”) translated into Italian.

These FAQs underlined that the other tools provided for by EU Regulation 2016/679 on the protection of personal data (“Regulation“) such as the “Standard Contractual Clauses” or “SCC“ and “Binding Corporate Rules” or “BCR” can still be considered adequate to legally transfer personal data to recipients outside the European Union.  It is highlighted that it was the parties’ responsibility to assess transfers on a case-by-case basis with the clarification that: “The European Data Protection Board is analysing the Court’s judgement to determine additional measures whether legal, technical or organisational, could be provided with SCC or BCR, to transfer data to third-party countries where SCC or BCR cannot provide sufficient guarantees.”

The FAQs refer to an additional tool as the legal basis for such transfers – data subject consent. It is reiterated that consent language must be simple and clear and must transparently inform data subjects about the possible risks that a transfer to the US or other foreign jurisdictions could entail.

Further tools provided by the Regulation as legal bases to legitimise transfers abroad are: (i) an adequacy decision on European requirements on personal data protection and (ii) compliance with Codes of Conduct or certification mechanisms which must be applied by the party to whom the data are transferred.

◊◊◊◊

In the light of the Court’s ruling and the EDPB’s FAQs, it will be the task of any organisation that transfers data to recipients outside the EU to carry out processing assessments and identify related risks, and the appropriate tool to legitimise the transfer.

Others Insights correlati:

Privacy Shield: the Court of Justice of the European Union invalidates the EU – USA Agreement

On 6 September 2019, the European Data Protection Board (“EDPB“) completed its public consultation on the document containing the draft of the forthcoming Guidelines 3/2019 concerning video surveillance (“Guidelines 3/2019 on processing of personal data through video devices“).

The images and audio tracks that are processed through the use of video surveillance systems, fall under the definition of “personal data” as they enable individuals to be identified, be it directly or indirectly. The processing of such information must therefore fully comply with EU Regulation 2016/679 – GDPR – on the protection of personal data and (in accordance with Italian law) and Legislative Decree 196/2003 as amended by Legislative Decree 101/2018 containing the rules for adapting national legislation to the said Regulation.

The aim that the European Committee intends to achieve with the issuance of these new Guidelines, is to ensure a uniform application of the legislation on video surveillance within all Member States of the European Union.

In view of the foregoing, it must first be made clear that the clarifications given in the draft concerning the legal basis on which the installation of the system is based are of fundamental importance.
In principle, it is possible that all the conditions for lawfulness set forth in Article 6, paragraph  1), of the GDPR are met, even if those most applied in practice are the legitimate interest that the Data Controller needs to pursue (Article. 6, paragraph 1), section f), GDPR) or the performance of a task in the public interest (Article 6, paragraph 1), section e), GDPR).

The European Committee clarifies that the Data Controller must specify in detail both the legal basis on which the data processing carried out is based and the detail of the purposes pursued. A system based on “security” in its simplest and most general sense is no longer a sufficiently detailed purpose.

Another important clarification concerns filming based on legitimate interest. Data processing is considered lawful only if this legal basis remains real, current and demonstrable at all times.

The Italian Data Protection Authority has, on several occasions, recommended that Data Controllers use the video surveillance tool in a proportionate and non-excessive manner and this approach can be found in the draft of the forthcoming Guidelines. Before proceeding with the installation of such systems, in fact, the Data Controller must use other tools (such as, for example, support by appropriate security staff, the provision of remote-controlled gates or adequate lighting) and demonstrate the effective need for the adoption of a video surveillance system. This, paying particular attention to limiting and defining, both temporally and geographically, filming in order to constantly respect the principle of minimisation of personal data pursuant to Article 5, point 1, section c) of the GDPR.

Each Data Controller is required to balance the interests involved by analysing, on a case-by-case basis, the legitimate interests of the Data Controller, on the one hand, and the fundamental rights and freedoms of the data subjects on the other.

In view of the above, the EDPB is awaiting the publication of the final text of the Guidelines, which are not only the first document to apply the principles of the GDPR to data processing carried out by video filming, but also, by national law, the first new document on the subject after the “Provision on video surveillance” issued by the Italian Data Protection Authority on 8 April 2010.