Increasingly, international business relations involve the transfer of personal data of individuals (name, gender, address, etc.) from EU/EEA to non-EU/EEA countries (Third Countries).
The personal data transfer includes sending, transmitting, or making personal data available in another country. The Polish Act of 29 August 1997 on the Protection of Personal Data and the Bulgarian Personal Data Protection Act in force from 1 January 2002 implement the EU Data Protection Directive 95/46/EC1 (Directive), which aims to protect the rights and freedoms of the individuals with respect to the transfer of their personal information by providing guidelines for when a transfer is lawful.
Lawful data processing
The transfer of personal data from Bulgaria or Poland to a Third Country is legal only if the data is processed in compliance with applicable national privacy laws. Generally, prior to processing personal data, the entity must register with the competent national authority as a “data controller”. While processing personal data, the entity must apply certain security measures to protect the data. Further, both Bulgarian and Polish privacy laws impose various requirements on the processing of personal data (eg, to be processed for specific, precisely defined, and legitimate purposes; to be relevant and not excessive to those purposes; etc.) for entities to lawfully transfer personal data of individuals to a Third Country. For instance, if an entity wishes to transfer personal data to a Third Country for purposes that are different from the initial purpose of processing, the transfer will likely be deemed unlawful unless it is required by law.
Adequate level of data protection
The personal data can be transferred to a Third Country if that country’s laws provide for at least the same standards of personal data protection as in Bulgaria or Poland (Adequate Level of Protection). Entities in Bulgaria and Poland often face a question as to which Third Countries provide an Adequate Level of Protection. In Bulgaria the adequacy of the level of protection afforded by a Third Country is usually assessed by the Bulgarian Commission for Personal Data Protection (CPDP), considering the nature of the data, the final destination, etc. The Polish Data Protection Authority, on the other hand, does not provide such an assessment. Instead, it is made by the data controller (who, however, is not left alone on the matter).
Decisions of the European Commission
The European Commission decides which Third Countries to recognise as providing Adequate Level of Protection. They include Argentina, Australia, Canada, Switzerland, Israel, Isle of Man, and more. The determination of the European Commission is binding on Bulgaria and Poland. The US uses a different approach to data protection and is generally not considered as providing an Adequate Level of Protection, with certain exceptions, such as the Safe Harbour principles. Developed by the US Department of Commerce in consultation with the European Commission, the Safe Harbour connects the different privacy approaches of the EU and the US and provides an opportunity for US entities to comply with the Directive and avoid impediments with respect to privacy in their business with the EU.
In Bulgaria the transfer to the aforesaid countries, recognised as providing Adequate Level of Protection generally requires notification of the CPDP (who rarely objects). In Poland, the transfer to those countries can commence freely, as if within the EU/EEA.
What if there is no Adequate Level of Protection?
Under Polish law, if a Third Country does not provide an Adequate Level of Protection, the transfer can commence only with permission of the Polish Data Protection Authority. Permission will normally be granted if the data controller ensures that, in connection with the transfer, the rights of the individual are protected as in the EU/EEA. This may be achieved, for example, by including standard contractual clauses in the data transfer contract. The standard contractual clauses come from decisions of the European Commission and are recognised as adequate safeguards of the personal data. The Polish Data Protection Authority will not refuse permission for a transfer if the contract contains these standard contractual clauses.
In some situations, personal data may be transferred to a Third Country that does not provide an Adequate Level of Protection, even without the permission of the Polish Data Protection Authority. One such situation is the explicit written consent of an individual duly informed about the circumstances of the transfer.
In practice, the prior approval of the CPDP is always required in Bulgaria for a data transfer to a Third Country, even with the explicit consent of the individual. The approval is usually granted if the data controller implements the mentioned standard contractual clauses. Still, the CPDP often prefers explicit consent from the individual even if other safeguards are in place (such as standard contractual clauses) to guarantee the fair processing of the personal data.
Despite coming from the same legal source (the EU Data Protection Directive 95/46/EC), the Bulgarian and Polish laws on transferring data to Third Countries are applied differently. Hence, each case involving data transfer should be individually approached and advised on.