On Tuesday November 3, the Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), sent a letter to all companies operating in Spain that had previously notified the AEPD of cross-border data transfers to Safe Harbor certified companies.  The letter warns companies that because Safe Harbor certifications are no longer recognized as valid, they must take steps to ensure that alternative mechanisms are implemented in order to continue transferring data to Safe Harbor certified companies in the United States. In particular, the AEPD is requiring all companies that received the letter to inform it not later than January 29, 2016 of any mechanisms that have been implemented to ensure adequate protections for personal data transferred to importers in the United States.

The AEPD letter implicitly recognizes the following mechanisms as adequate to justify data transfers to jurisdictions without adequate data protection:

  • Standard contractual clauses remain adequate, but as before, they must be authorized by the AEPD. The authorization process generally takes about three months.
  • Data transfers remain adequate without authorization from the AEPD if they meet one of the following conditions:
    • The transfer is made with the data subject’s unambiguous consent;
    • is necessary for the performance of a contract with, or in the interests of, the data subject;
    • results from a treaty or convention to which Spain is a party;
    • is necessary or legally required to safeguard public interest, provide judicial aid, medical care, or support legal claims;
    • is necessary to protect the vital interests of the data subject; or
    • is made from a public register.

Although no express reference is made to Binding Corporate Rules (BCRs), there is no reason to believe that this is not a valid mechanism, provided that authorization is obtained from the AEPD. Regardless of whether a specific mechanism requires authorization, all data transfers require prior notification to the AEPD.

The practical effect of the letter will likely be to confirm that the alternative mechanisms listed above remain available to companies, provided that they appropriately inform the AEPD.

The letter also notes that companies that fail to inform the AEPD of the mechanisms used to justify cross-border data transfers may be subject to enforcement actions, which may include monetary fines and the temporary suspension of transfers.