Share
2,243 Posts.
lightbulb Created with Sketch. 4424
clock Created with Sketch.
18/08/20
17:36
Share
Originally posted by circlingshark:
↑
https://www.oaic.gov.au/privacy/guidance-and-advice/australian-entities-and-the-eu-general-data-protection-regulation/ Overseas transfers of personal dataUnder the GDPR, personal data may be transferred outside the EU to countries or international organisations that provide an adequate level of data protection. The GDPR sets out in detail the factors the EU Commission is to consider when deciding whether a third country or international organisation ensures an adequate level of protection (Article 45).[24] The European Data Protection Board (which replaces the Article 29 Working Party) is required to provide the Commission with an opinion assessing the adequacy of a country or organisation’s level of data protection (Article 70(1)(s)).In the absence of an adequacy decision, overseas transfers are permitted in some limited circumstances, on condition that individual’s enforceable rights and effective remedies are available and, where appropriate, safeguards are in place. Such appropriate safeguards include:the data controller has in place approved ‘binding corporate rules’ that enable transfers within a corporate groupthe data controller has entered into an agreement that contains the ‘standard data protection clauses’ adopted by the EU Commission or a data protection authorityapproved codes of conduct are in place, and the recipient controller or processor gives binding and enforceable commitments to apply appropriate safeguardsan approved certification has been made by an accredited body, and the recipient controller or processor gives binding and enforceable commitments to apply appropriate safeguards (Article 46)In the absence of an adequacy decision or appropriate safeguards such as those outlined above, overseas transfers are also permitted in very specific situations. An example is where an individual explicitly consents to the proposed transfer after they have been provided with certain information about the possible risks associated with the transfer (Article 49).
Expand
Visa EU transferred another company's data (ISX) to Visa AU. Nothing in your guidance specifies that it is lawful to transfer another companies data that you are examining under an NDA agreement to another entity without their (ISX in this case) permission. Your guidelines only state that if you are going to transfer personal data of your own company to another subsidiary then it must be under an adequate level of data protection.