Data Protection: Third Countries


Another issue that any Data Controller should take into consideration outside these principles above is the issue of transferring data to a country outside the European Union. Since all the states in the European Union follow a common Data Protection standard set out in Directive 95/46(EC) it is generally held that transfer of data to other countries in the European Union is only subject to the principles listed above. If one were to consider transferring data to a country outside the European Union, however, the Third Country Regulations (S.L. 440.03) will apply. In such a case, the Data Controller must always notify the Data Commissioner of the transfer or face liability to a fine of €23,293 for each violation and a further €2,329 for each day for each day any violation persists. This means that one would have to pay the first fine for every separate violation followed by the second applying to each day any particular violation continues to persist. In all cases, the Data Commissioner has the final decision on whether the Third Country has an adequate level of data protection. Even though the Commissioner is notified, he may well decide that the level of protection is below standard and subsequently prohibit the transfer of personal data to that country.

The law does however stipulate certain exceptions where the Commissioner’s discretion does not apply. In short, they are as follows:

  1. When the Minister in charge of Data orders that the transfer be made anyway.
  2. Where the Data Subject gives unambiguous consent.
  3. Where the processing is necessary for the Data Subject and Controller for pre contractual or contractual purposes.
  4. Where the public interest is involved such as where somebody makes a legal claim.
  5. To protect the vital interests of the data subject.
  6. Where the information is available to others by law under certain conditions
  7. Where the Commissioner establishes conditions with the Third Country to ensure a better level of protection.