Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

GDPR: a new hope for the use of BCRs for cloud providers in Portugal

06.03.2017

The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved. However, unless we have some clarification from CNPD until then, we will have to wait for May 2018 to actually put this to test.

The General Data Protection Regulation recognises and preserves the existing transfer mechanisms under the Data Protection Directive for transfers of personal data to third countries which do not provide an adequate level of data protection.

Controllers and processors may transfer personal data outside the European Union (“EU”) / European Economic Area (“EEA”) if they have adduced appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Those safeguards are intended to ensure that, post-transfer, the data is processed in compliance with data protection requirements of European standard and data subjects have the same rights as they have in the EU.

Currently, Portuguese Data Protection Law which implemented the Directive, requires that a transfer to third countries outside the EU/EEA must be previously authorised. Whilst EU Model Clauses have been admitted as providing appropriate safeguards, Binding Corporate Rules (“BCR”), as company-specific, group-wide data protection policies, have never been considered as admissible.

All transfers of data to entities located outside the EU/EEA on the grounds of EU Model Clauses have been categorized as “provisional” by the Portuguese Data Protection Authority (“CNPD”) after the decision of the CJEU which invalidated Safe Harbor. On the 22nd of October 2015, the CNPD (following the opinion of the Article 29 WP) decided to revoke all existing authorizations of international transfers based on Safe Harbor and issue only provisional authorizations for the transfers of personal data through alternative mechanisms such as EU Model Clauses until the impact of the CJEU decision on EU Model Clauses is fully assessed as to their sufficiency of guaranteeing an adequate level of data protection.

The position of the CNPD on BCR’s has been not to admit its use based on the fact that according to Portuguese law, they are “unilateral self-binding declarations” and that “declarations of this kind cannot constitute a source of obligations under Portuguese law”. Also, Portugal is not yet part of the mutual recognition process which would allow recognizing another DPA’s decision of adequacy of the BCRs (http://ec.europa.eu/justice/data-protection/international-transfers/binding-corporate-rules/mutual_recognition/index_en.htm). Therefore, the implementation of the BCR’s in Portugal currently still requires a binding contract (bilateral or multilateral agreement) to be signed by all parties involved in the Data Transfers and respective authorization filings with the Portuguese Data Protection Authority.

The GDPR brings a new hope for the application of BCRs, especially for cloud providers (as processors), as they are given specific recognition in the Regulation, which also sets out in detail the content they must include and the procedure under which they will be approved. However, unless we have some clarification from CNPD until then, we will have to wait for May 2018 to actually put this to test.

 

Article provided by: Ricardo Henriques, Abreu Advogados, Portugal

External links:

 

 

Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

VIEW PROJECT

 

CPC project office: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.at

WHAT IS THE DPC/CPC PROJECT?

53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More

 

CPC MISSION & VISION STATEMENT

The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.