Due to the progressive growth of personal data transfers to outside European Union (EU), the Portuguese Data Protection Authority – Comissão Nacional de Proteção de Dados (“DPA”) – issued on November 10, 2015 specific guidelines on Intra-Group Agreements (IGA) involving transfers of personal data outside the EU.
The guidelines state that in general terms and taking in consideration that IGA are multilateral agreements often involving transfers of personal data to countries outside the EU which do not ensure an adequate level of protection, DPA considers that such transfers require its prior authorization for purposes of assessing if the IGA contain sufficient guarantees that the personal data transferred benefits from the same level of protection as in the EU.
According to the guidelines, when IGA implement EU model clauses and data controllers declare that IGA are identical to model clauses at the time of the authorization request, DPA will consider that authorization can be expedited.
DPA also provides in the guidelines specific criteria to be taken into consideration so that IGA are considered to ensure a sufficient level of protection. For example, IGA may not modify more than superficial aspects of the EU model clauses – such as punctuation or translation – and terms restricting the scope of the third beneficiary clause or the parties’ liability in relation to the data subject are not allowed.
By Margarida Leitão Nogueira and João Costa Quinta, ABBC Law Firm