In Greece prior to the Schrems Judgement, transfer of data to the US on the legal basis of Safe Harbor was allowed without need of prior permission of the Data Protection Authority (DPA), subject to simple Notification. However, on Wednesday 21 October 2015, the local DPA has issued an announcement according to which from now on transfers based on Safe Harbor are no longer legal.
The Greek data protection legal regime makes the following distinctions regarding the trans-border flow of personal data to non EU countries.
- this type of transfer is free if Controller receives prior permission by the Data Protection Authority (DPA) provided that the Authority considers that a specific country ensures an adequate level of protection.
- when the Authority considers that a country does not ensure an adequate level of protection, trans-border transfer is permitted only exceptionally, subject to receiving prior permission by the DPA only on condition that one or more of the following apply: i) the data subject has given his/her prior consent, ii) processing is necessary for the execution of a contract, in which the subject of the data is a contracting party or in order to undertake measures following the subject’s request during the pre-contractual stage, iii) processing is necessary for the execution of an obligation of the Controller, which obligation is imposed by law, iv) processing is absolutely necessary for the satisfaction of a legitimate interest of the Controller or of the third person to whom the data is notified, v) processing is necessary for emergency reasons and in order to safeguard superior public interest – prima facie while executing co-operation contracts with the third country’s Public Authorities vi) processing is necessary to file or to defend a right before a Court, vii) transmission takes place from a public record that is intended to provide information available to the public and viii) when Controller provides adequate safeguards or when those safeguards derive from contractual clauses that are aligned with the data protection law; in this last condition, permission of the Data Protection Authority is not needed if the European Commission has already ruled that specific contractual clauses are indeed providing adequate safeguards (as provisioned in the Data Protection Directive).
- The permission from the Authority is not necessary if the European Commission finds that this country ensures an adequate level of protectionas provisioned in par.2 article 25 of the Data Protection Directive
Hence prior to the judgement of the Court of Justice of the European Union of 6 October 2015 in the Maximilian Schrems v Data Protection Commissioner case (C-362-14) (the Schrems Judgement), permission from the local DPA was not needed in case that adequate level of protection was supported by (i) valid Safe Harbour certificate for US entities and a simple Data Transfer Agreement; or (ii) agreement between the data importer and data exporter corresponding to the Standard Contractual Clauses issued by the European Commission; or (iii) Intra-group Data Transfer Agreement (e.g. Binding Corporate Rules). Nonetheless all Controllers had to Notify the Greek DPA for the trans-border transmission to the US and for the legal basis of that transmission (even if permission was not necessary).
Following the WP29 Statement (dated 16-10-2015) on the implementation of the Schrems Judgement the Greek DPA has issued on the 21-10-2015 an announcement stating that the transmission of personal data to the US on the basis of Safe Harbour principles is no longer legal. Therefore the greek DPA calls all Controllers that had Notified the DPA regarding trans-border transmission to the US based on the Safe Harbor to stop hereinafter any data transmission to that country. The local DPA further stated that WP29 is expected to study the impact of the above decision of the CJEU on all the instruments that have been laid down by the Community and national legislation for the transmission of data outside the E.U. In the meantime, the Data Protection Authorities of the EU consider that Standard Contractual Clauses and Binding Corporate Rules can still be used as legal instruments for those transmissions. Finally the Greek DPA reminds that it has in any case the power to check if the transmission of data to countries outside the EU complies with the conditions of the community and national law and to prohibit any transmission that is contrary to it.
So, until WP29 and local DPA issue further guidance on what would be the legal grounds for trans-border transmission to the US, all Controllers that are interested in transmitting personal data to the US should either uphold Standard Contractual Clauses and Binding Corporate Rules (if applicable) or file a request to receive permission from the DPA on the basis that one of the eight elements described in point b) apply in the specific transmission.
Mina Zoulovits, Partner at Filotheidis & Partners Law firm