Documente Academic
Documente Profesional
Documente Cultură
eps
International data
transfers
CMS Cameron McKenna: CEE Guide
2010
Contents
Bulgaria
Czech Republic
Hungary
Poland
Romania
Russia
Slovakia
Ukraine
4
9
13
19
23
28
35
39
Please note that the Guide and its contents do not constitute legal advice. Professional legal advice should be sought
when navigating through any data protection issues. The contents of the Guide are correct as at 1 July 2010.
Introduction
Irrespective of their type of business, companies these days are more often
choosing to outsource selected activities to entities that professionally deal
with these operations. In many cases, the chosen professional service
providers are based in another country, and often outside the European
Economic Area.
In most cases such outsourced operations include processing the personal data of both
employees and individuals providing services on the basis of other types of contracts, as well as
clients and prospective clients. In many cases the outsourcing is of a multi-jurisdictional nature.
This tendency to outsource business operations including the processing of personal data results
in challenges for companies. Before taking decisions to outsource operations where personal
data processing plays a key role, they have to learn about the differences in national regulations
regarding data protection, among other things.
We understand these challenges and we would like to support you by offering you the Guide on
International Data Transfers in CEE. The Guide has been prepared in a question and answer
format and has been divided into eight country-specific chapters, i.e. Bulgaria, Czech Republic,
Hungary, Poland, Romania, Russian Federation, Slovakia and Ukraine. In these jurisdictions CMS
has been providing legal assistance on personal data protection to businesses for many years.
This has enabled us to develop a unique understanding of our clients objectives on personal data
protection. All of our CEE practices have dedicated data protection lawyers with a wealth of
experience in proceedings related to data transfers conducted by the regulatory bodies in their
respective countries. This puts our firm in the advantageous position of being able to advise on
data protection issues right across the region. The CEE Data Protection Group, our internal forum
for knowledge sharing and training in this area of the law, enables our lawyers to discuss current
legal developments as well as pool their experience and effectively tackle client issues.
Our objective is that the Guide will prove useful to you in your business operations. We very
much value your opinion and comments on the Guide, as they will help us prepare new editions
of the publication even better tailored to your business needs. Therefore, we would appreciate it
if you could send any comments on this document to the following address:
Internationaldatatransfers@cms-cmck.com.
Andrzej Krasuski
Partner
CEE Data Protection Group Coordinator
Bulgaria
Regulatory framework
The Bulgarian regulatory framework on international transfer of personal data consists of the
following regulations:
The Personal Data Protection Act, published in State Gazette No. 1 dated 4 January 2002, as
amended from time to time with the last amendment on 5 June 2009 (hereinafter referred to
as the PDPA).
The Rules on the Activities of the Commission for Personal Data Protection and its
Administration, published in State Gazette No. 11 dated 10 February 2009.
Scope of the PDPA with respect to personal data administrators: The PDPA applies if the
personal data administrator:
is established on the territory of the Republic of Bulgaria
is not established on the territory of the Republic of Bulgaria but is bound to apply the
PDPA by virtue of international public law
is not established on the territory of a European Union Member State, nor in another
member country of the European Economic Area but, for the purposes of such processing,
makes use of means located on the territory of the Republic of Bulgaria, unless such means
are used exclusively for transit purposes; in such a case the administrator must designate a
representative established on the territory of the Republic of Bulgaria.
With respect to the subject matter and the purpose of the processing of personal data, the
PDPA also applies to the processing of personal data for defence, national security and public
order purposes as well as for the purposes of criminal justice; insofar as this is not governed
by special laws. The PDPA does not apply to the processing of personal data by individuals for
their personal or household activity or to information preserved in the National Archive.
the transfer is necessary in order to protect the life and health of the individual to whom
such data relate
The data originate from a public register accessible pursuant to the rules and conditions
stipulated by law.
The transfer of personal data to third countries shall also be admissible in all cases where it is
performed exclusively for the purposes of journalism, or literary or artistic expression to the
extent to which it does not violate the right to privacy of the person to whom such data relate.
In any other case not mentioned above, the transfer of personal data to a third country shall
take place upon the approval of the CPDP provided that both the administrator transferring
the data and the administrator receiving the data have provided adequate safeguards for the
protection of such data. The CPDP shall notify the European Commission and the competent
authorities of the other Member States of all approvals as well as of any denials of approval.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Within 14 days of the personal data administrator filing the request for authorisation the
director of the Legal and International Activity Directorate of the CPDP provides a motivated
opinion before the CPDP. The CPDP issues a resolution by which it allows or refuses the
provision of the data.
State tax is not collected for procedures before the CPDP.
What are the rights of the data subjects during the process of
transferring data?
Data subjects are entitled to request the personal data administrator to tell them to whom
their personal data has been transferred. If the data subject removes, amends or blocks his/
her personal data from processing, he/she can require the personal data administrator to
notify any third parties to whom the personal data has been transferred about this removal,
amendment or block.
If the rights of a data subject under the PDPA are infringed, the data subject shall inform the
CPDP within one year of the date when he/she became aware of the infringement, but not
later than five years after the date the infringement took place. The PDPA shall pass a decision
within 30 days of the date the matter was referred to it, and may issue binding prescriptions
to remedy the infringement.
The Act provides for the following general sanctions upon infringement:
A fine or a property sanction in the amount of BGN 10,000 100,000 where a person
refuses to cooperate with the PDPA in relation to its investigative functions.
A fine or a property sanction in the amount of BGN 2,000 20,000 for other
infringements of the PDPA.
Repeated infringements are subject to a fine/property sanctions if double the amount of
the original penalty imposed.
It is hard to assess the current enforceability of the sanctions imposed by the CPDP, as there is no
available data for the overall activities of the CPDP for 2010. Based on the CPDPs annual report
for 2009 the total number of complaints received for 2009 was 158. In 2007 the CPDP initiated
97 administrative procedures and found infringements of the PDPA in only 13 inspections.
Czech Republic
For example: (i) Commission Decision No.2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC;
(ii) Commission Decision No.2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under
Directive 95/46/EC; (iii) Commission Decision No.2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce; etc.
3
Under conditions stipulated by the Commission Decision No.2003/490/EC of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data in Argentina.
4
Under conditions stipulated by the Commission Decision No.2010/146 of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection provided by the Faeroese Act on processing of personal data.
5
Under conditions stipulated by the Commission Decision No.2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey.
6
Under conditions stipulated by the Commission Decision No. 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man.
7
Under conditions stipulated by the Commission Decision No. 2008/393/EC of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data in Jersey.
8
Under conditions stipulated by the Commission Decision No.2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.
9
Under conditions stipulated by the Commission Decision No.2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to a
third country?
The term within which the UOOU shall issue the authorisation enabling the transfer of personal
data to a third country is 30 days (60 days in particularly difficult cases). No stamp duty is
imposed on applications for such authorisation enabling the transfer of personal data to a
third country.
What are the rights of the data subjects during the process of
transferring data?
The main rights of the data subjects during the process of international transferring personal
data are:
The right to be informed (during the collection of such data) of the scope in which and the
purpose for which the personal data shall be processed, who and in what manner will
process the personal data and to whom the personal data may be disclosed.
The right to be informed (if the controller processes personal data obtained from the data
subject) of whether the provision of the personal data is obligatory or voluntary.
The right to access (upon the data subjects request) information on the data subjects
personal data which is processed by the controller.
10 The Commission Decision No. 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC; and the
Commission Decision No. 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive
95/46/EC.
11
Working Party 29 has been established by Article 29 of Directive 95/46/EC. It is an independent EU Advisory Body on Data Protection and Privacy. Its tasks are laid down in Article 30 of
Directive 95/46/EC and in Article 14 of Directive 97/66/EC.
11
The right to ask the controller or processor for an explanation and to require that the
controller or processor remedy the state of affairs if the data subject finds or presumes that
the controller or processor is processing his/her personal data in contradiction to the
protection of the private and personal life of the data subject or in contradiction to the law.
The right to report cases of breaches (or alleged breaches) of the rights of an individual as a
data subject to the UOOU.
Hungary
13
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Legally, no authorisation is required under the Hungarian Data Protection Act to enable the
transfer of data to another country. Data controllers must only inform the local data protection
supervisory authority the Data Protection Commissioner prior to carrying out any data
processing activities (including transferring personal data to another country). The registration
procedure is merely an administrative obligation; it is free of charge and takes 2-3 weeks. The
data controller is given a registration number, and, when starting a new data processing activity
or the processing of a new group of personal data or if there is other new information about the
data processing, the necessary application may be filed with the Data Protection Commissioners
office under that number. Any change in the registered data shall be filed with the Data
Protection Commissioner within 8 days of the change. The processing of certain databases is
exempt from the notification obligation (e.g. data relating to employees, customers, patients,
official statistical data). However, the publicly available guidance of the Data Protection
Commissioner emphasises that data transfers outside the European Economic Area are always
subject to registration, even if they fall under the exemption above. In addition, the consent of
the person concerned to the data transfer shall contain information that the level of the
protection of personal data in such countries may not be adequate.
What are the rights of the data subjects during the process of
transferring data?
In addition to the information provision duties of the data controllers outlined in the Hungarian
Data Protection Act, the rights of the data subjects during the process of transferring data are
listed below. As the Hungarian Data Protection Act contains only general rules in this respect, it is
advisable to regulate the detailed process of the fulfilment of the requests of the data subjects in
internal policies.
Access
As a general right, any data subject may request confirmation of whether or not data relating to
him/her are being processed. Upon the data subjects request, the data controller must provide
information concerning the data relating to him/her, including those processed by a data
controller on its behalf, the purpose, grounds and duration of processing, the name and address
(corporate address) of the data controller and on its activities relating to data management, and
the recipients of his/her data and the purpose for which they are or had been transferred. The
data controller must comply with requests for information without any delay, and provide the
information requested in an intelligible form within no more than 30 days. The information
specified above shall be provided free of charge for any category of data once a year. As regards
the denial grounds, the Data Protection Act did not implement Article 12 (c) of Directive 95/46/
EC, on the basis of which certain rights of access may be refused if the data controllers
compliance proves impossible or involves a disproportionate effort, or if access would jeopardise
third parties rights (e.g. confidentiality). In order to protect the interests of data controllers (such
15
as huge global organisations with many systems in place) against those requests, which would
simply be impossible to comply with, it is usually recommended that such data controllers reject
an unreasonable request or a request which does not specify its exact scope appropriately on the
basis of the general principles of the Hungarian Civil Code, i.e. that the submission of such
request is made in bad faith or it is unreasonable, or its purpose is to abuse the data controllers
rights by hindering its operation. Certain exemptions and restrictions in connection with the
obligations and rights outlined above, which are allowed by Section VI of the Directive 95/46/EC
(Exemptions and Restrictions), are also implemented by the Hungarian Data Protection Act.
Rectification
Data processors must rectify all personal data if it is false. When data is rectified, the data subject
to whom it pertains and all recipients to whom it was transferred for processing must be notified.
This notification shall not be required if it does not violate the rightful interest of the data subject
in view of the purpose of processing. The Hungarian Data Protection Act does not contain
additional rules on the rectification obligations, such as time limits, denial grounds or fees. It is
assumed that rectification shall be made as soon as possible and free of charge and no specific
denial grounds are set out in the Hungarian Data Protection Act.
Cancellation
All personal data must be erased (with the exception of those processed by order of legal
regulation) if:
they are processed unlawfully
it is requested by the data subject
they are deficient or inaccurate and it cannot be legitimately corrected, provided that deletion
is not disallowed by statutory provision
the purpose of processing no longer exists or the legal time limit for retention has expired
it is instructed by court order or by the Data Protection Commissioner.
When data is erased, the data subject to whom it pertains and all recipients to whom it was
transferred for processing must be notified. This notification is not required if the deletion does
not violate the rightful interest of the data subject in view of the purpose of processing. Similarly
to the rectification rights, the Hungarian Data Protection Act does not contain additional rules on
the cancellation obligations, such as time limits, denial grounds or fees. It is assumed that
rectification shall be made as soon as possible and be free of charge and that no specific denial
grounds (e.g. the data may be stored in an archiving system, other information would be
destroyed upon the deletion, or if the personal data are essential for exercising the rights of the
data controller) are set out in the Hungarian Data Protection Act. It is also not regulated in the
Hungarian Data Protection Act how a data controller could prove the lawfulness of the data
processing if all the personal data of the person requesting the deletion is erased, including his/
her consent to the data processing.
Objection
The data subject shall have the right to object to the processing of data relating to him/her if
processing is carried out solely for the purpose of enforcing the rights and legitimate interests of
the controller. In the event of an objection, the controller shall discontinue processing operations
and investigate the cause of the objection within the shortest possible time, and not exceeding
15 days, and shall notify the data subject in writing of the findings of the investigation. If the
objection is justified, the controller shall terminate all processing operations (including data
collection and transmission), block the data involved and notify all recipients to whom any of
these data had been previously transferred concerning the objection and the ensuing measures;
these recipients shall also take measures regarding the objection. If the data subject disagrees
with the decision taken by the controller, the data subject shall have the right to seek legal
remedy (as rendered by the Hungarian Data Protection Act) within 30 days of the date the
decision was conveyed.
17
Poland
19
In the case of transfers of personal data to countries located within the EEA, there are no specific
requirements concerning data transfers. Transfers of personal data are treated the same as
transfers inside the territory of Poland.
The transfer of personal data to third countries providing an adequate level of personal data
protection may be conducted on the same conditions as within the EEA.
In the case of third countries that do not provide an adequate level of personal data protection,
the data controller may transfer the data only if:
the data subject has given his/her written consent
the transfer is necessary for the performance of a contract between the data subject and the
controller or takes place in response to the data subjects request
the transfer is necessary for the performance of a contract concluded in the interests of the
data subject between the controller and another subject
the transfer is necessary or required by reason of public interest or for the establishment of
legal claims
the transfer is necessary in order to protect the vital interests of the data subject
the transfer relates to data which are publicly available.
Alternatively a data controller may apply for prior consent from the Polish Data Protection
Authority (GIODO) to transfer personal data to a third country which does not ensure at least the
same level of personal data protection as that in force in the territory of Poland. Such consent shall
be issued provided that the controller ensures adequate safeguards with respect to the protection
of the privacy, rights and freedoms of the data subject.
The above requirements, regarding transfer to a third country, do not apply to the transfer of
personal data required by legal provisions or by the provisions of any ratified international
agreement.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to a
third country?
The proceedings for issuing consent are carried out based on the regulations applicable to
administrative proceedings and are connected with minor formal requirements. It is necessary to
pay fees of PLN 10 for the issue of a decision, and PLN 17 for powers of attorney (if an attorney is
appointed to participate in the proceedings). An application to issue consent for a transfer should
specify:
the parties to the contract for data transfers
categories of the transferred data
the scope of data
the purpose for which and time the data are to be transferred
the means adopted to protect the rights of the individuals to whom the data relate (e.g.
Binding Corporate Rules or Standard Contractual Clauses)
technical means of securing data, which are applied by the receiving entity (security policy).
During the proceeding GIODO reviews the application and may demand additional information,
documents confirming the transferring parties ensured the appropriate level of protection to
personal data. This may significantly extend the proceedings. In practice the proceedings for
issuing consent may take from 1 to 6 months.
Romania
Decision no. 174/2007 on the adequate protection of personal data provided in Switzerland.
Decision no. 175/2007 on the adequate protection of personal data provided in Guernsey.
Decision no. 176/2007 on the adequate protection of personal data provided in the Isle of Man.
Decision no. 90/2008 on the recognition of an adequate level of protection of personal data
provided in Jersey.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
For EU/EEA countries, and the six jurisdictions recognised as having an adequate level of
protection (i.e. Argentina, Canada, Switzerland, Guernsey, Isle of Man, and Jersey), the transfer
takes place upon submission of the notification. The Law does not provide for a specific delay
when such a notification must be submitted.
When data is to be transferred to non-EU/ non-EEA countries, other then the 6 afore-mentioned
jurisdictions, approval from the Romanian data protection authority must be issued in this regard.
As a result, the transfer shall be enabled as of the moment such approval was officially issued by
the Romanian data protection authority. Such approval is issued within at least 30 days of the
moment of giving notice of the transfer.
There is no cost involved in obtaining the authorisation enabling the transfer of personal data to
other countries.
As a rule, the existing whistle-blowing hotlines in Romania (e.g. Child Phone Association,
Romanian General Anticorruption Directorate) are bound by confidentiality rules regarding the
information they can collect and pass on to competent authorities. The data subject shall also
have the right to be informed, to access the data, to intervene and to object to his/her data
processing/transfer, under the Law.
The personal data of such individuals is not revealed to the public.
What are the rights of the data subjects during the process of
transferring data?
When personal data is transferred abroad, the data transfer subjects have the following main
rights provided for in the Law and in the standard clauses:
To be informed of the scope of the transfer, the recipients of his/her data, the data
controllers identity, etc.
To have access to his/her data.
The right of intervention over his/her data (e.g. rectification, updating, blocking or deletion of
data whose processing does not comply with the provisions of the Law and of standard
clauses, especially of incomplete or inaccurate data).
The right to object at any moment, based on justified and legitimate reasons linked to his/her
particular situation, to processing data regarding himself/herself, except for the cases of
specific contrary legal provisions.
The right to refer to a court of law.
To invoke against the Romanian-based data controller and/or foreign data processor/data
controller, the Beneficiary Third Party clause stipulated in the standard clauses under
Decision 167 and Order 6 (e.g. to be provided with a copy of the standard clauses, to be
indemnified by a data controller and/or by a data processor in case of prejudice due to
infringement of the Beneficiary Third Party clause, etc).
To be represented, upon his/her request, by an association or by other persons, if the law
allows it.
Under Decision 167, the Romanian data protection authority has the right to check the
contractual clauses used by a data processor established in a country whose legislation does
not provide for a protection level at least equal to that provided by Romanian law, in the
same conditions applicable to Romanian-based data controllers.
27
Russia
29
In giving his/her consent for his/her personal data to be processed, a personal data subject is
entitled to receive information on the methods of personal data processing used by the operator,
data on persons who have access to the personal data or who may be given such access, the time
limits for personal data processing, the legal consequences that the processing of his or her
personal data may entail vis-a-vis the subject of personal data. A personal data subject is
therefore entitled to receive information on the operator or on any third party (group company or
a processing company that processes his/her personal data).
The obligation to furnish proof of obtaining the personal data subjects consent for processing
his/her personal data rests upon the operator.
Some exceptions under which personal data can be processed without the personal data
subjects consent are as follows:
the processing is exercised on the basis of a federal law, e.g. legislation on investigative
activities, security and criminal enforcement
the processing is necessary for the performance of an agreement to which the personal
data subject is a party. Nevertheless, if an operator processes personal data for purposes
other than just the performance of the agreement, the personal data subjects consent
should be obtained
the processing is for certain statistical or scientific purposes, provided that the personal
data is depersonalised
the processing is carried out for postal or telecommunication purposes
the processing concerns personal data that is publicly available in accordance with federal
legislation.
Ensuring confidentiality and the safety of the data.
The Personal Data Protection Act provides for general requirements while processing data to any
third party within Russia or abroad. Under the law, an operator may entrust a third party with the
processing of personal data under an agreement. The essential term of the agreement shall be
the third partys obligation to ensure the confidentiality of personal data and the security of the
personal data being processed. Third parties shall independently satisfy the legal requirements for
processing personal data. Under the law, should an operator receive personal data from a source
other than the subject of the personal data, the latter is entitled to receive all the necessary
information about the company that will directly operate his/her data (the name and address of
the company, the goal of personal data processing etc.).
The processing of personal data should ensure the following:
the prevention of unauthorised access to the personal data and/or its transfer to persons
not authorised to access it
the timely detection of any unauthorised access to the personal data
the prevention of the hardware being affected by automated personal-data processing
tools which may disrupt its operation
the immediate restoration of personal data that has been modified or destroyed as a result
of unauthorised access
the permanent monitoring of the adequate protection of personal data.
Storing the data within a limited time period.
The Russian Data Protection Act does not establish particular restrictions as to the term of
storage of information. Personal data may be stored until the fulfilment of the purpose for which
they have been collected, after which the operator must destroy the data within three working
days, unless prescribed otherwise by the law.
Following technical measures (encryption/cryptography devices).
Any operator shall, in processing personal data, be obliged to take the organisational and
technical measures required under Russian law. This may include using encryption (cryptographic)
facilities, protecting personal data against any illegal or accidental access thereto, the destruction,
alteration, blocking, copying, dissemination of personal data, as well as against other illegal
actions. Special Russian Government Resolutions and instructions of the Russian Federal Security
Service describe in detail which measures should be taken by operators.
Notifying the authorised data protection authority
An operator is to send a notification to the Russian Data Protection Authority (Roskomnadzor)
(hereinafter the Data Protection Authority) of its any intention to process personal data
irrespective of whether cross-border transfer will take place or not.
No official document is required from the Data Protection Authority to start processing personal
data. There is no requirement to provide regular updates.
The notification should be made in writing, signed by an authorised person and sent by mail or
by electronic mail verified by the registered electronic signature of an authorised person.
The notification procedure is free of charge for the operator.
The notification should be submitted to the territorial branch of the Data Protection Authority.
There is no obligation to notify the Data Protection Authority in cases where:
the personal data concerns personal data subjects who have an employment relationship
with the operator
the personal data is processed exclusively for the purposes of an agreement between the
personal data subject and the operator. However, if an operator processes personal data for
other purposes than just the performance of an agreement, the notification should be sent to
the Data Protection Authority
the personal data includes only surnames, names, and patronymics of personal data subjects
the personal data is included in public information databases.
31
In the unofficial opinion of the Russian Personal Data Protection Authority, member-countries of
the Convention for the protection of individuals regarding the automatic processing of personal
data (28 January 1981 ETS No108) are supposed to be regarded as countries providing an
adequate level of personal data protection.
Also, countries that adopted global laws on the protection of personal data may be considered as
providing an adequate level of protection, such as Andorra, Argentina, Israel, Canada, Norway,
Japan, etc.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Under Russian law no official authorisation is required to transfer personal data to another country.
What are the rights of the data subjects during the process of
transferring data?
The rights of the data subjects during the process of transferring data are:
to obtain information about the operator, its location and the personal data in its possession
which concerns the particular personal data subject, as well as to become acquainted with
this data
to demand that the operator specify his/her personal data, block or destroy it in the event
that the personal data is incomplete, outdated, inaccurate, illegally obtained or is not essential
to the declared goal of processing, as well as to take measures envisaged under the law to
protect his/her rights
to know the reason for processing, the time limits for keeping the data, as well as the
consequences of processing
to appeal against the actions or inaction of the operator to the Data Protection Authority or
in a judicial procedure, if the personal data subject considers that the operator is processing
his or her personal data in violation of the requirements of the law.
33
There are also restrictions on the transfer of personal data outside Russia. Although
companies may freely transfer personal data to countries that adequately protect data
subjects rights, there is currently no list of approved countries. In addition, personal data may
be transferred to any country, regardless of the level of personal data protection the recipient
country offers, with the written consent of the individual concerned. The law grants
individuals and their representatives the right to access the individuals personal data and to
object to processing the data.
Cross-border transfers are not very well regulated. At the moment the Data Protection
Authority has no mechanism to really control heavy flows of personal data of Russian citizens
that are stored abroad in the global databases of big companies. There will probably be
amendments to the Personal Data Protection Act in the near future regarding the powers of
the Data Protection Authority on this issue.
Russian legislation on personal data protection is still new. Although it is similar in style to
data protection laws in the European Union, enforcement authorities themselves have many
questions and discrepancies as to the application of the Personal Data Protection Act.
Compliance with the act may prove to be challenging because of its burdensome
requirements, possible inconsistencies with other Russian laws and lack of interpretation. Plus
the Personal Data Protection Act provides a number of exceptions to the notification
requirements, but many companies are required to notify the authorities.
Slovakia
These conditions vary depending on the country where the personal data are to be transferred,
and if they are going to be transferred to a controller or to a processor.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Consent enabling the transfer of personal data to another country (when needed) from the
Office for Personal Data Protection of the Slovak Republic may be obtained free of charge and
should be granted without undue delay, but no longer than 30 days after the application is
submitted by a controller.
What are the rights of the data subjects during the process of
transferring data?
Transferring personal data is assumed to be a part of processing the personal data. Therefore
during the process of transferring the personal data, a data subject has the same general rights
as when its personal data are processed, e.g.:
The data subject may request from the controller:
information on the status of processing his personal data in the filing system, information on
the source from which the controller obtained the personal data,
a copy of his personal data, rectification of any inaccurate, incomplete or out-of-date data
which is being processed,
destruction of his personal data.`
37
In some cases, the data subject may file objections to the controller:
if his personal data is processed, used or provided for the purposes of direct marketing
if the controller makes a decision which has legal effects on the data subject or significantly
affects him, the data subject may refuse to submit to such decision
if the controller wishes to transfer the data to a third country which does not ensure an
adequate level of personal data protection, the data subject may refuse to consent to it.
Ukraine
The Ukrainian Parliament has adopted a Personal Data Protection Law that will become effective from 1 January
2011. The information on Ukraine provided in the Guide is valid only until that date.
39
Moreover, under the Information Law, when collecting and disseminating personal data, the
individual has a right to know the purpose of the information collection and dissemination and
may also access the information and object to any errors.
Thus, due to the lack of separate legislation in Ukraine in the sphere of personal data protection,
the general rules shall apply and, therefore, any transfer of personal data abroad must have the
relevant individuals consent unless the exemptions mentioned above apply.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Please refer to the answer to question 3 as regards procedural issues. With respect to the costs,
usually the transfer of personal data, when applicable, is conducted on a cost-free basis.
However, exemptions may be provided for by the relevant international agreements.
What are the rights of the data subjects during the process of
transferring data?
In accordance with the Information Law, the participants in an information relationship shall have
the right to receive (produce, obtain), use, disseminate, and store information in any form, using
any means, except in cases envisaged by law. Furthermore, the respective individual has a right to
know the purpose of the information collection and dissemination as well as access the
information and object to any errors.
41
Contacts
BULGARIA
David Butts
CMS Cameron McKenna EOOD
Soravia Centre
24 Paleologu Street
14 Tsar Osvoboditel Blvd.
Sector 3, Floor 2
030552 Bucharest
1000 Sofia , Romania, Bulgaria
T +359 2 921 9910
F +359 2 921 9919
E david.butts@cms-cmck.com
Helena Hailichova
CMS Cameron McKenna v.o.s.
Palladium
Na Po 1079/3a
110 00 Prague
Czech Republic
T +420 221 098 887
F +420 221 098 000
E helena.hailichova@cms-cmck.com
HUNGARY
Dr Dra Petrnyi
Ormai s Trsai CMS Cameron
McKenna LLP
YBL Palace, 3rd Floor
Krolyi Mihly utca, 12
H-1053 Budapest, Hungary
T +48 22 5205 555
F +48 22 5205 556
E andrzej.krasuski@cms-cmck.com
POLAND
Dr Andrzej Krasuski
CMS Cameron McKenna Dariusz Greszta
Spka Komandytowa
Warsaw Financial Center
ul. Emilii Plater 53
00-113 Warsaw, Poland
T +48 22 520 5555
F +48 22 520 5556
E andrzej.krasuski@cms-cmck.com
Marcin Lewoszewski
CMS Cameron McKenna Dariusz Greszta
Spka Komandytowa
Warsaw Financial Center
Ul. Emilii Plater 53
00-113 Warsaw Poland
T +48 22 520 5525
F +48 22 520 5556
E marcin.lewoszewski@cms-cmck.com
ROMANIA
John Fitzpatrick
CMS Cameron McKenna SCA
24 Paleologu Street
Sector 3
030552 Bucharest, Romania
T +40 21 317 2279
F +40 21 317 2280
E john.fitzpatrick@cms-cmck.com
SLOVAKIA
Ian Parker
Ruika Csekes s.r.o.
in association with members of CMS
Vysok 2B
811 06 Bratislava
Slovakia
T +421 2 32 33 3444
F +421 2 32 33 3443
E ian.parker@cms-cmck.com
UKRAINE
Olexander Martinenko
CMS Cameron McKenna LLC
6th Floor, 38 Volodymyrska Street
01034 Kyiv
Ukraine
T +380 44 391 33 77
F +380 44 391 33 88
E olexander.martinenko@cms-cmck.com
Aberdeen
Edinburgh
Moscow
Hamburg
Bristol
Amsterdam
London Utrecht
Antwerp
Brussels
Paris
Stuttgart
Vienna
Strasbourg Munich
Zurich
Lyon
CMS offices
Ljubljana
Kyiv
Bratislava
Budapest
Zagreb
Belgrade Bucharest
Sarajevo
Milan
Rome
So Paulo
Buenos Aires
Montevideo
Beijing
Shanghai
Berlin
Warsaw
Leipzig
Duesseldorf
Dresden
Cologne
Prague
Frankfurt
Arnhem
Sofia
Madrid
Seville
Marbella
Algiers
Casablanca
43
The information held in this publication is for general purposes and guidance only and does not purport to constitute legal or professional advice.
CMS Cameron McKenna LLP is a limited liability partnership registered in England and Wales with registration number OC310335. It is able to
provide international legal services to clients utilising, where appropriate, the services of its associated international offices. The associated
international offices of CMS Cameron McKenna LLP are separate and distinct from it. We use the word partner to refer to a member, or an
employee or consultant with equivalent standing and qualifications.
Further information about the firm can be found at www.cms-cmck.com
CMS Cameron McKenna LLP is a member of CMS, the organisation of nine European law firms providing businesses with legal and
tax services in 27 jurisdictions, with 53 offices in Western and Central Europe and beyond. CMS aims to be recognised as the best
European provider of legal and tax services. Clients say that what makes CMS special is a combination of three things: strong, trusted client
relationships, high quality advice and industry specialisation. CMS combines deep local expertise and the most extensive presence in Europe with
cross-border consistency and coordination.
Registered address: Mitre House, 160 Aldersgate Street, London EC1A 4DD.
100908