CEE - International Data Transfers Guidev3 31 August

CMS_LawTax_CMYK_28-100.
eps
International data
transfers
CMS Cameron McKenna: CEE Guide
2010
Contents
Bulgaria
Czech Republic
Hungary
Poland
Romania
Russia
Slovakia
Ukraine
4
9
13
19
23
28
35
39
Please note that the Guide and its contents do not constitute legal advice. Professional legal advice should be sought
when navigating through any data protection issues. The contents of the Guide are correct as at 1 July 2010.
Introduction
Irrespective of their type of business, companies these days are more often
choosing to outsource selected activities to entities that professionally deal
with these operations. In many cases, the chosen professional service
providers are based in another country, and often outside the European
Economic Area.
In most cases such outsourced operations include processing the personal data of both
employees and individuals providing services on the basis of other types of contracts, as well as
clients and prospective clients. In many cases the outsourcing is of a multi-jurisdictional nature.
This tendency to outsource business operations including the processing of personal data results
in challenges for companies. Before taking decisions to outsource operations where personal
data processing plays a key role, they have to learn about the differences in national regulations
regarding data protection, among other things.
We understand these challenges and we would like to support you by offering you the Guide on
International Data Transfers in CEE. The Guide has been prepared in a question and answer
format and has been divided into eight country-specific chapters, i.e. Bulgaria, Czech Republic,
Hungary, Poland, Romania, Russian Federation, Slovakia and Ukraine. In these jurisdictions CMS
has been providing legal assistance on personal data protection to businesses for many years.
This has enabled us to develop a unique understanding of our clients objectives on personal data
protection. All of our CEE practices have dedicated data protection lawyers with a wealth of
experience in proceedings related to data transfers conducted by the regulatory bodies in their
respective countries. This puts our firm in the advantageous position of being able to advise on
data protection issues right across the region. The CEE Data Protection Group, our internal forum
for knowledge sharing and training in this area of the law, enables our lawyers to discuss current
legal developments as well as pool their experience and effectively tackle client issues.
Our objective is that the Guide will prove useful to you in your business operations. We very
much value your opinion and comments on the Guide, as they will help us prepare new editions
of the publication even better tailored to your business needs. Therefore, we would appreciate it
if you could send any comments on this document to the following address:
Internationaldatatransfers@cms-cmck.com.
Andrzej Krasuski
Partner
CEE Data Protection Group Coordinator
Bulgaria
Regulatory framework
The Bulgarian regulatory framework on international transfer of personal data consists of the
following regulations:
The Personal Data Protection Act, published in State Gazette No. 1 dated 4 January 2002, as
amended from time to time with the last amendment on 5 June 2009 (hereinafter referred to
as the PDPA).
The Rules on the Activities of the Commission for Personal Data Protection and its
Administration, published in State Gazette No. 11 dated 10 February 2009.
The scope of the application of data protection regulations

The processing of personal data and the rights of the individuals with regard to the
processing of their personal data is regulated by the PDPA. According to the definition
provided in the PDPA, personal data is any information relating to an individual, where the
individual is identified or identifiable directly or indirectly by reference to an identification
number or to one or more specific features. The processing of personal data shall mean any
operation or set of operations which can be performed in respect of personal data, whether
by automatic means or otherwise, such as the collection, recording, organisation, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination,
provision, transfer, updating or combination, blocking, deletion or destruction.
The PDPA applies to the processing of personal data by:
Automated means.
Non-automated means where the data is supposed to be a part of a register.
4 | International data transfers: CEE Guide
Scope of the PDPA with respect to personal data administrators: The PDPA applies if the
personal data administrator:
is established on the territory of the Republic of Bulgaria
is not established on the territory of the Republic of Bulgaria but is bound to apply the
PDPA by virtue of international public law
is not established on the territory of a European Union Member State, nor in another
member country of the European Economic Area but, for the purposes of such processing,
makes use of means located on the territory of the Republic of Bulgaria, unless such means
are used exclusively for transit purposes; in such a case the administrator must designate a
representative established on the territory of the Republic of Bulgaria.
With respect to the subject matter and the purpose of the processing of personal data, the
PDPA also applies to the processing of personal data for defence, national security and public
order purposes as well as for the purposes of criminal justice; insofar as this is not governed
by special laws. The PDPA does not apply to the processing of personal data by individuals for
their personal or household activity or to information preserved in the National Archive.
Bans on transferring personal data to another country; e.g. due

to the type of data, or the type of data controller
The PDPA does not provide any specific bans regarding the type of data or the type of data
controller in transferring personal data, but it provides certain restrictions on processing the
so-called sensitive personal data which (i) reveal racial or ethnic origin; (ii) reveal political,
religious or philosophical convictions, membership in political parties or organisations,
associations having religious, philosophical, political or trade-union goals;(iii) refer to health,
sex life or human genome. The ban for processing sensitive data is not absolute and the
processing of this data and its transfer shall be allowed as long the specific requirements of
the PDPA are met.
What are the legal requirements for transferring personal data to

another country?
According to the general rule of the PDPA the transfer of personal data by the personal data
administrator to a foreign individual or legal entity or to foreign government authorities shall
be allowed upon the approval of the Commission for Personal Data Protection (CPDP), if the
legislation of the recipient country guarantees a level of data protection that is better than or
equivalent to that provided by the PDPA. Upon the transfer of personal data in this case the
provisions of the PDPA shall apply.
According to the specific provisions referring to the transfer of data to specific countries the
transfer of personal data to any Member State of the European Union and to any other
member country of the European Economic Area shall be done freely, in compliance with the
requirements of the PDPA.
The transfer of personal data to a third country (which is not an EU member or a member of
the EAA) shall be allowed only if such third country ensures an adequate level of personal
data protection within its territory.
Besides the above cases, the personal data administrator may transfer personal data to a third
country if:
the individual to whom such data relate has given his or her explicit consent
the transfer is required for the execution of a contract between the individual and the
administrator, as well as for any actions preceding the execution of the contract
undertaken at such persons request
the transfer is required for the conclusion and execution of a contract accomplished in the
interest of the individual between the administrator and another contract party
the transfer is necessary or required by law due to an important public interest, or for the
establishment, exercise or defence of legal claims
the transfer is necessary in order to protect the life and health of the individual to whom
such data relate
The data originate from a public register accessible pursuant to the rules and conditions
stipulated by law.
The transfer of personal data to third countries shall also be admissible in all cases where it is
performed exclusively for the purposes of journalism, or literary or artistic expression to the
extent to which it does not violate the right to privacy of the person to whom such data relate.
In any other case not mentioned above, the transfer of personal data to a third country shall
take place upon the approval of the CPDP provided that both the administrator transferring
the data and the administrator receiving the data have provided adequate safeguards for the
protection of such data. The CPDP shall notify the European Commission and the competent
authorities of the other Member States of all approvals as well as of any denials of approval.
Describe how an adequate level of personal data protection is

understood under Bulgarian regulations?
The statute does not provide for a definition of the term adequate level of personal data
protection. The PDPA provides that the adequacy of the level of protection of personal data
afforded by a third country shall be assessed by the CPDP in consideration of all the
circumstances relating to the data transfer operation or the set of data transfer operations,
including the nature of data, the purpose and duration of their processing, the legal basis and
security measures provided in such third country.
The CPDP shall not undertake the assessment referred above where a decision of the
European Commission is to be executed, whereby the European Commission has ruled that:
the third country to which the personal data are transferred has ensured an adequate level
of protection
certain appropriate contractual clauses are in place ensuring an adequate level of
protection. In this case, the administrator shall apply the standard contractual clauses
whenever transferring data to a third country.
How long does it take and what are the costs involved in
obtaining the authorisations enabling the transfer of data to
another country?
Within 14 days of the personal data administrator filing the request for authorisation the
director of the Legal and International Activity Directorate of the CPDP provides a motivated
opinion before the CPDP. The CPDP issues a resolution by which it allows or refuses the
provision of the data.
State tax is not collected for procedures before the CPDP.
Are EU standard contractual clauses and/or Binding Corporate

Rules (BCR) recognised in Bulgaria?
The EU standard contractual clauses are recognised in Bulgaria.
What is the approach of your national data protection authorities

to whistle-blowing hotlines (SOX) involving the transfer of data
to other countries?
The CPDP has not yet issued any official opinion on whistle-blowing hotlines.
What are the rights of the data subjects during the process of
transferring data?
Data subjects are entitled to request the personal data administrator to tell them to whom
their personal data has been transferred. If the data subject removes, amends or blocks his/
her personal data from processing, he/she can require the personal data administrator to
notify any third parties to whom the personal data has been transferred about this removal,
amendment or block.
If the rights of a data subject under the PDPA are infringed, the data subject shall inform the
CPDP within one year of the date when he/she became aware of the infringement, but not
later than five years after the date the infringement took place. The PDPA shall pass a decision
within 30 days of the date the matter was referred to it, and may issue binding prescriptions
to remedy the infringement.
What are the rights of the national data protection authority in

the process of transferring data?
According to the PDPA the national data protection authority supervising the data transfer
process is the CPDP.
The CPDP is an independent government body ensuring the protection of individuals in the
processing of their personal data and in the access thereof. It also monitors the PDPA.
The general powers of the CPDP, which are also executed in the case of a transfer of personal
data, are to:
review and monitor the observance of the legal framework in the field of personal data
protection
keep a register of personal data administrators and the personal data registers kept by them
investigate personal data administrators
give opinions and issue permits in cases provided by the PDPA
issue mandatory instructions to administrators in connection with personal data protection
suspend, upon prior notification, the processing of personal data that will violate the
provisions on the protection of personal data
handle complaints against acts and actions of administrators which infringe the rights of
individuals under the PDPA, as well as third parties complaints in relation to their rights
participate in drafting and issuing opinions in regard to drafts of laws and regulations in
the field of personal data protection
ensure enforcement of European Commission decisions in the field of personal data
protection.
The Commission shall coordinate the Codes of Conduct of personal data administrators with
the relevant branches and business fields and in the case of any discrepancies with the legal
framework shall issue binding prescriptions.
Specific rights and powers of the CPDP with respect to the transfer of personal data are
related to the CPDPs right to issue approvals for the transfer of personal data in accordance
with the provisions of the PDPA and to provide assessment of the adequacy of the level of
protection provided by a third country.
What are the sanctions for infringing data transfer requirements,

and how likely are they to be applied from the practical
perspective? Please elaborate on the enforceability of
these sanctions.
The PDPA does not provide specific requirements regarding the infringement of the data
transfer requirement. The general provisions, which provide for sanctions, apply.
The Act provides for the following general sanctions upon infringement:
A fine or a property sanction in the amount of BGN 10,000 100,000 where a person
refuses to cooperate with the PDPA in relation to its investigative functions.
A fine or a property sanction in the amount of BGN 2,000 20,000 for other
infringements of the PDPA.
Repeated infringements are subject to a fine/property sanctions if double the amount of
the original penalty imposed.
It is hard to assess the current enforceability of the sanctions imposed by the CPDP, as there is no
available data for the overall activities of the CPDP for 2010. Based on the CPDPs annual report
for 2009 the total number of complaints received for 2009 was 158. In 2007 the CPDP initiated
97 administrative procedures and found infringements of the PDPA in only 13 inspections.
Czech Republic
What is the regulatory framework on transferring personal data

to another country?
The Czech regulatory framework on the international transfer of personal data consists of the
The main law is Act No. 101/2000 Coll., the Personal Data Protection Act, as amended
(hereinafter referred to as the Act).
In addition, there are several special Czech laws regulating (to a marginal extent) the
international transfer of personal data in some specific areas, such as Act No.283/1993 Coll.,
on State Prosecutors, as amended; Act No.325/1995 Coll., on Asylum, as amended; Act
No.359/1999, on the Protection of Children, as amended, etc.
In addition, in respect of the international transfer of personal data, the Czech Republic is also
bound by certain international treaties (such as the Convention for the Protection of Individuals
with regard to the Automatic Processing of Personal Data CETS No. 108, Council of Europe,
1981) and the EU legal framework (such as EU Commission Decision No. 2001/497/EC on
standard contractual clauses for the transfer of personal data to third countries, EU Commission
Decision No. 2000/520/EC on the adequacy of the protection provided by the safe harbour
privacy principles and related frequently asked questions issued by the US Department of
Commerce, etc.).
Are there any bans on the transfer of personal data to another

country; e.g. due to the type of data, or the type of data controller?
According to the Act, there are no express bans imposed on the transfer of personal data to
another country due to the type of data, or due to the type of a data controller. However, the Act
imposes specific conditions for the transfer of personal data outside the Czech Republic,
depending on the type of country to which the transfer should be made (for details please see
the answer to the next question).
9

another country?
T he transfer of personal data to other EU countries is not restricted.
Personal data may be transferred freely to non-EU countries if such transfer is allowed by the
provisions of an international treaty, which was ratified by the Czech Parliament1, or on the
basis of a decision of an EU institution2.
If none of the above cases applies, then the transfer of personal data to a non-EU country
may still take place provided that the Czech Data Protection Office (hereinafter the UOOU)
issues a written authorisation in this respect. The UOOU can issue the authorisation for a
transfer to a non-EU country provided that:
the transfer is carried out with the consent of, or on the basis of an instruction from, the
data subject
the laws of the country of destination ensure an adequate level of personal data protection
the personal data is kept in publicly accessible data files, as provided for by specific
legislation, or is accessible to anyone who proves they have a sufficient legal interest
the transfer is held to be in the public interest, as provided for by specific legislation, or by
an international treaty binding on the Czech Republic
the transfer is necessary for negotiating the conclusion or change of a contract, carried out
at the data subjects request, or for the performance of a contract to which the data
subject is a contracting party
the transfer is necessary to perform a contract between the data controller and a third
party, concluded in the interest of the data subject, or to exercise other legal claims
the transfer is necessary for the protection of the rights or vital interests of the data
subject, in particular for preventing death or providing health care.
Please describe how an adequate level of personal data

protection is understood under your national regulations.
The Act does not define the term adequate level of personal data protection. In practice, the
level of protection of personal data in a third (i.e. non-EU) country shall be (with the exceptions
mentioned below) assessed by the UOOU on a case-by-case basis.
In respect of the transfer of personal data to the following non-EU countries, the UOOU shall not
individually assess the level of protection of personal data in these countries on a case-by-case
basis because an adequate level of personal data protection in these countries has been
recognised on the basis of laws applicable in the Czech Republic:
Member states of the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data, No. 108, entered into force on 1 October 1985
Argentina3
the Faeroe Islands 4
Guernsey5
Isle of Man6
Jersey7
the USA in the cases of so-called safe harbour8
Canada9
1
Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data CETS No. 108, Council of Europe, 1981.
2
For example: (i) Commission Decision No.2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC;
(ii) Commission Decision No.2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under
Directive 95/46/EC; (iii) Commission Decision No.2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the
protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce; etc.
3
Under conditions stipulated by the Commission Decision No.2003/490/EC of 30 June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data in Argentina.
4
Under conditions stipulated by the Commission Decision No.2010/146 of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection provided by the Faeroese Act on processing of personal data.
5
Under conditions stipulated by the Commission Decision No.2003/821/EC of 21 November 2003 on the adequate protection of personal data in Guernsey.
6
Under conditions stipulated by the Commission Decision No. 2004/411/EC of 28 April 2004 on the adequate protection of personal data in the Isle of Man.
7
Under conditions stipulated by the Commission Decision No. 2008/393/EC of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data in Jersey.
8
Under conditions stipulated by the Commission Decision No.2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce.
9
Under conditions stipulated by the Commission Decision No.2002/2/EC of 20 December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the
adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act.
In addition, an adequate level of personal data protection shall be deemed to be achieved in

cases where the transfer of personal data to a non-EU country is based on standard contractual
clauses10.
obtaining the authorisations enabling the transfer of data to a
third country?
The term within which the UOOU shall issue the authorisation enabling the transfer of personal
data to a third country is 30 days (60 days in particularly difficult cases). No stamp duty is
imposed on applications for such authorisation enabling the transfer of personal data to a
third country.
Are EU standard contractual clauses and/or Binding Corporate Rules

(BCR) recognised in your jurisdictions? If not, please explain why.
Standard EU contractual clauses are recognised in the Czech Republic.
The UOOU is aware of Binding Corporate Rules (BCR). However, as the concept of BCR is not
expressly recognised by Czech law, the UOOU will assess every application for authorisation for a
transfer to a non-EU country by a company with the BCR in place on an individual basis, i.e.
having BCR in place does not guarantee the UOOU will automatically approve a transfer of
personal data outside the EU.

to other countries?
The UOOU has not issued any official statement in respect of whistle-blowing hotlines (apart
from publishing Czech language versions of the papers and documents issued by the Woking
Party 2911).
transferring data?
The main rights of the data subjects during the process of international transferring personal
data are:
The right to be informed (during the collection of such data) of the scope in which and the
purpose for which the personal data shall be processed, who and in what manner will
process the personal data and to whom the personal data may be disclosed.
The right to be informed (if the controller processes personal data obtained from the data
subject) of whether the provision of the personal data is obligatory or voluntary.
The right to access (upon the data subjects request) information on the data subjects
personal data which is processed by the controller.
10 The Commission Decision No. 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC; and the
Commission Decision No. 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive
95/46/EC.
11
Working Party 29 has been established by Article 29 of Directive 95/46/EC. It is an independent EU Advisory Body on Data Protection and Privacy. Its tasks are laid down in Article 30 of
Directive 95/46/EC and in Article 14 of Directive 97/66/EC.
11
The right to ask the controller or processor for an explanation and to require that the
controller or processor remedy the state of affairs if the data subject finds or presumes that
the controller or processor is processing his/her personal data in contradiction to the
protection of the private and personal life of the data subject or in contradiction to the law.
The right to report cases of breaches (or alleged breaches) of the rights of an individual as a
data subject to the UOOU.

In respect of the process of transferring personal data abroad, the main tasks and rights of the
UOOU are:
to supervise the observance of the obligations provided by law in personal data processing
(including transferring personal data abroad)
to authorise the transfer of personal data abroad (if such authorisation is necessary in
particular cases)
to deal with complaints concerning breaches of obligations provided by law in personal data
processing and announce their settlement
to carry out inspections of the controller or processor (including on-site investigations)
to deal with administrative offences in the area of personal data protection and to
impose fines
to co-operate with similar authorities in other countries, with EU institutions and with
international organisations operating in the area of personal data protection
to provide consultations in the area of personal data protection.

these sanctions.
In general, the UOOU can:
impose administrative fines of up to CZK 10,000,000 (approx. 333,000)
order measures for remedy (such as liquidation of illegally collected personal data, etc.)
In our experience, the UOOU usually takes a strict approach towards breaches of data protection
rules and, in principle, insists the implementation of remedial measures, and that any fines
imposed are paid.
If a data subject feels his/her rights to privacy have been infringed by his/her personal data being
processed (including being transferred abroad) not in compliance with relevant laws, he/she can
file a civil law petition in court. There are no binding rules for the total length of such court
proceedings, or for the maximum amount of compensation awarded in Czech law. Therefore, in
practice the outcome and the length of each case will differ.
In the case of a serious breach of the personal data protection laws, the perpetrator (but only an
individual person, not a legal entity) can be subject to criminal law sanctions, including
imprisonment for up to eight years.
Hungary

to another country?
Act LXIII of 1992 on the Protection of Personal Data and the Disclosure of Information of Public
Interest, as amended, of the Republic of Hungary (Hungarian Data Protection Act) which is
compliant with Directive 95/46/EC applies to all data processing operations performed in the
territory of Hungary (including transferring personal data to another country) that pertain to the
data of natural persons.
Are there any bans on transferring personal data to another

country; e.g. due to the type of data, or the type of data
controller?
Except for the legal requirements set out in point 3 below, there are no other bans on
transferring personal data to another country under Hungarian law.

another country?
Pursuant to the provisions of the Hungarian Data Protection Act, personal data may be
transferred to a third country (a country outside the European Economic Area) from Hungary
if the data subject gives his/her express consent to the transfer
if the transfer is permitted by law and the laws of the third country ensures an adequate level
of protection with respect to the personal data transferred.
13

protection is understood under your national regulations?
The level of protection is deemed adequate if:
the European Commission has determined that the level of protection is adequate
there is an international treaty between the third country and Hungary containing guarantees
for the rights of data subjects and independent control of the data processing operations
referred to in the Data Protection Act
the third country controller or processor offers appropriate safeguards to ensure an adequate
level of protection and the basic freedoms and rights of data subjects, in particular, if data
processing is carried out in compliance with a legal act adopted by the European Commission.
Personal data may be transferred to third countries within the framework of an international
agreement for mutual legal assistance between authorities as well, for the purpose and with the
contents specified in the agreement.
another country?
Legally, no authorisation is required under the Hungarian Data Protection Act to enable the
transfer of data to another country. Data controllers must only inform the local data protection
supervisory authority the Data Protection Commissioner prior to carrying out any data
processing activities (including transferring personal data to another country). The registration
procedure is merely an administrative obligation; it is free of charge and takes 2-3 weeks. The
data controller is given a registration number, and, when starting a new data processing activity
or the processing of a new group of personal data or if there is other new information about the
data processing, the necessary application may be filed with the Data Protection Commissioners
office under that number. Any change in the registered data shall be filed with the Data
Protection Commissioner within 8 days of the change. The processing of certain databases is
exempt from the notification obligation (e.g. data relating to employees, customers, patients,
official statistical data). However, the publicly available guidance of the Data Protection
Commissioner emphasises that data transfers outside the European Economic Area are always
subject to registration, even if they fall under the exemption above. In addition, the consent of
the person concerned to the data transfer shall contain information that the level of the
protection of personal data in such countries may not be adequate.

Both the use of the EU standard contractual clauses and the Binding Corporate Rules (BCR) are
recognised in Hungary. In our experience the application of EU standard contractual clauses is
more popular among Hungarian data processors. It is worth noting that, contrary to the practice
of some other European countries, if a company is using such model clauses, it shall only notify
the Data Protection Commissioner thereof. The contracts themselves shall not be filed with the
Data Protection Commissioners office. The application of BCRs is also recommended by the Data
Protection Commissioner and an amendment to Hungarian labour law was suggested by the
Data Protection Commissioner as well, in order to facilitate the use of BCRs. However, to date
there has been only one company who notified the Data Protection Commissioner about using
BCRs in connection with transferring personal data to another country. The reason for this may
be the lack of awareness among the data processors regarding the possibility of using BCRs.

to other countries?
In Hungary, whistle-blowing hotlines are not regulated expressly by the law. As a general legal
background, the Hungarian Data Protection Act governs the processing of the data of the
employees involved in a whistle-blowing scheme, if any element of such data processing takes
place in Hungary.
Despite the lack of express legal regulations, the local implementation of whistle-blowing
schemes has been analysed by the Hungarian Data Protection Commissioner in publicly available
opinions (which are non-binding, but serve as very strong guidelines in the interpretation of the
Hungarian data protection law) several times. It appears that the approach of the Hungarian Data
Protection Commissioner is rather negative towards such schemes, on the basis of the argument
that such schemes are not acceptable in accordance with the European privacy standards and
may result in the infringement of the personal data of the employees concerned. However, the
Hungarian Data Protection Commissioner also declared that there are no express legal obstacles
for the implementation of such schemes if the Hungarian Data Protection Act is complied with.
Therefore, companies which implement whistle-blowing schemes in their own internal by-laws
and regulations prior to an equivalent amendment of the current legislation, must be very careful
to avoid any conflict with the provisions of Hungarian law on confidentiality and data privacy as
well as sensitive employment law issues. The Data Protection Commissioner emphasised that
Opinion 1/2006 of the Article 29 Data Protection Working Party on the application of EU data
protection rules to internal whistle-blowing schemes (WP 117) is the most comprehensive
summary on the legal issues which may arise in connection with the implementation of whistleblowing schemes and shall be taken into account when interpreting the relevant Hungarian laws.
Naturally, WP 117 is non-binding, however, if there is any ambiguity in connection with the
compliance of the proposed whistle-blowing scheme with the applicable Hungarian laws, it is
likely that the Data Protection Commissioner will consider the findings of WP 117 when
determining its opinion. Therefore, companies should also consider WP 117 when implementing
their own whistle-blowing schemes in Hungary.
transferring data?
In addition to the information provision duties of the data controllers outlined in the Hungarian
Data Protection Act, the rights of the data subjects during the process of transferring data are
listed below. As the Hungarian Data Protection Act contains only general rules in this respect, it is
advisable to regulate the detailed process of the fulfilment of the requests of the data subjects in
internal policies.
Access
As a general right, any data subject may request confirmation of whether or not data relating to
him/her are being processed. Upon the data subjects request, the data controller must provide
information concerning the data relating to him/her, including those processed by a data
controller on its behalf, the purpose, grounds and duration of processing, the name and address
(corporate address) of the data controller and on its activities relating to data management, and
the recipients of his/her data and the purpose for which they are or had been transferred. The
data controller must comply with requests for information without any delay, and provide the
information requested in an intelligible form within no more than 30 days. The information
specified above shall be provided free of charge for any category of data once a year. As regards
the denial grounds, the Data Protection Act did not implement Article 12 (c) of Directive 95/46/
EC, on the basis of which certain rights of access may be refused if the data controllers
compliance proves impossible or involves a disproportionate effort, or if access would jeopardise
third parties rights (e.g. confidentiality). In order to protect the interests of data controllers (such
15
as huge global organisations with many systems in place) against those requests, which would
simply be impossible to comply with, it is usually recommended that such data controllers reject
an unreasonable request or a request which does not specify its exact scope appropriately on the
basis of the general principles of the Hungarian Civil Code, i.e. that the submission of such
request is made in bad faith or it is unreasonable, or its purpose is to abuse the data controllers
rights by hindering its operation. Certain exemptions and restrictions in connection with the
obligations and rights outlined above, which are allowed by Section VI of the Directive 95/46/EC
(Exemptions and Restrictions), are also implemented by the Hungarian Data Protection Act.
Rectification
Data processors must rectify all personal data if it is false. When data is rectified, the data subject
to whom it pertains and all recipients to whom it was transferred for processing must be notified.
This notification shall not be required if it does not violate the rightful interest of the data subject
in view of the purpose of processing. The Hungarian Data Protection Act does not contain
additional rules on the rectification obligations, such as time limits, denial grounds or fees. It is
assumed that rectification shall be made as soon as possible and free of charge and no specific
denial grounds are set out in the Hungarian Data Protection Act.
Cancellation
All personal data must be erased (with the exception of those processed by order of legal
regulation) if:
they are processed unlawfully
it is requested by the data subject
they are deficient or inaccurate and it cannot be legitimately corrected, provided that deletion
is not disallowed by statutory provision
the purpose of processing no longer exists or the legal time limit for retention has expired
it is instructed by court order or by the Data Protection Commissioner.
When data is erased, the data subject to whom it pertains and all recipients to whom it was
transferred for processing must be notified. This notification is not required if the deletion does
not violate the rightful interest of the data subject in view of the purpose of processing. Similarly
to the rectification rights, the Hungarian Data Protection Act does not contain additional rules on
the cancellation obligations, such as time limits, denial grounds or fees. It is assumed that
rectification shall be made as soon as possible and be free of charge and that no specific denial
grounds (e.g. the data may be stored in an archiving system, other information would be
destroyed upon the deletion, or if the personal data are essential for exercising the rights of the
data controller) are set out in the Hungarian Data Protection Act. It is also not regulated in the
Hungarian Data Protection Act how a data controller could prove the lawfulness of the data
processing if all the personal data of the person requesting the deletion is erased, including his/
her consent to the data processing.
Objection
The data subject shall have the right to object to the processing of data relating to him/her if
processing is carried out solely for the purpose of enforcing the rights and legitimate interests of
the controller. In the event of an objection, the controller shall discontinue processing operations
and investigate the cause of the objection within the shortest possible time, and not exceeding
15 days, and shall notify the data subject in writing of the findings of the investigation. If the
objection is justified, the controller shall terminate all processing operations (including data
collection and transmission), block the data involved and notify all recipients to whom any of
these data had been previously transferred concerning the objection and the ensuing measures;
these recipients shall also take measures regarding the objection. If the data subject disagrees
with the decision taken by the controller, the data subject shall have the right to seek legal
remedy (as rendered by the Hungarian Data Protection Act) within 30 days of the date the
decision was conveyed.

As mentioned above, the publicly available opinions of the Data Protection Commissioner are
non-binding but serve as very strong guidelines in the interpretation of the Hungarian data
protection law. Besides the right to impose sanctions in the case of a violation of the provisions of
the Hungarian Data Protection Act, as outlined in point 10 below, the Data Protection
Commissioner has powers to conduct preliminary inspections prior to registration, particularly
prior to processing any new data files or the use of new data processing technologies by financial
institutions, telecommunication service providers and other regulated industries. Data processors
shall notify the Data Protection Commissioner 30 days prior to the commencement of processing
any new data files or the use of new data processing technologies. The Data Protection
Commissioner shall notify the data processor of its intention to conduct a preliminary inspection
within eight days of receiving the above-specified notification and shall carry out the inspection
within 30 days. Processing operations may commence only upon completion of the inspection
conducted by the Data Protection Commissioner. On the basis of the findings of the inspection,
the Data Protection Commissioner may prohibit the processing of specific data or may instruct
the data processor to change the processing technology.

these sanctions.
Administrative remedies and other sanctions
In the case of a violation of the provisions of the Hungarian Data Protection Act, the Data
Protection Commissioner is entitled to the following:
Advising the data processor to cease such operation. The data processor must comply within
30 days and shall report to the Data Protection Commissioner in writing concerning the
measures taken.
Announcing to the general public the opening of proceedings, any illegitimate data
processing operations and may identify the controller / processor and the measures proposed
and the resolutions adopted.
(If the controller or processor fails to comply and cease the above-specified unlawful
processing of personal data): Ordering that unlawfully processed data be blocked, deleted or
destroyed, or prohibiting the unauthorised data processing operations and suspending any
operation aimed at transferring data abroad.
Judicial remedies
In accordance with Article 22 of Directive 95/46/EC (Remedies), the Hungarian Data Protection
Act allows a data subject to file for a court action against the controller for any violation of his/
her rights. The court shall hear such cases immediately. The burden of proof of compliance with
the law lies with the data processor. Such lawsuits are heard by the court in whose jurisdiction
the controllers registered address (residence) is located or, if so requested by the data subject, by
the court in whose jurisdiction the data subjects residence (place of abode) is located. If the
decision is in favour of the plaintiff, the court shall order the controller to provide the information,
to correct or delete the data in question, to void the automated individual decision, to honour the
data subjects objection.
Persons who have suffered damage as a result of an unlawful processing operation or of any
other act incompatible with the Hungarian Data Protection Act are entitled to claim
compensation as well, in accordance with the general rules of Hungarian civil law. The data
controller shall be liable for the acts of its data processors; however, it shall be exempt from
liability if the damage is caused either by a reason falling outside the scope of the liability
pertaining to the data processing or wilful or highly negligent acts of the person concerned.
17
Criminal law issues

Although the Hungarian Data Protection Commissioner is not entitled to impose a fine on the
data controller, a breach of the rules may constitute a crime (Misuse of Personal Data) if the
following criteria stipulated in Act IV of 1978 on the Hungarian Criminal Code are met:
Any person who, in violation of the statutory provisions governing the protection and processing
of personal data, in the pursuit of unlawful financial gain or advantage or by causing significant
injury to the interests of another person:
is engaged in the unauthorised and inappropriate processing of personal data
fails to take measures to ensure the security of data
is guilty of a misdemeanour punishable by imprisonment for up to one year, community service,
or a fine.
Any person who fails to provide information for the data subject as required by law and thereby
causes significant injury to the data subjects interests is punishable in the same way.
Any misuse of special personal data shall be punishable by imprisonment for up to two years,
community service, or a fine.
The misuse of personal data shall be treated as a felony punishable by imprisonment for up to
three years if it is committed by a public official or in the course of discharging a public duty.
Poland

to another country?
The Polish regulatory framework on transferring personal data to another country is provided in the
1997 Act on Personal Data Protection (Data Protection Act or the Act), which implemented the
Directive of the European Parliament and Council of 24 October 1995 on the protection of
individuals with regard to processing personal data and on the free movement of such data.
Are there any bans on the transfer of personal data to another

There are no explicit bans regarding the transfer of personal data. Nevertheless the transfer may
be conducted if certain conditions are fulfilled.

another country?
The legal requirements for transferring personal data to another country vary depending on the
country of destination. In general, there are different legal requirements related to transferring
data between entities with their seats in the European Economic Area (EEA), and outside of it.
Transferring data outside the EEA is more complicated because of the limited number of
countries that ensure an adequate level of data protection.
It must be stressed however, that in both cases a data controller needs a valid legal basis to
originally process the data (e.g. consent of the data subject). In the case of international transfer,
he has to meet additional requirements that apply to such transfer.
19
In the case of transfers of personal data to countries located within the EEA, there are no specific
requirements concerning data transfers. Transfers of personal data are treated the same as
transfers inside the territory of Poland.
The transfer of personal data to third countries providing an adequate level of personal data
protection may be conducted on the same conditions as within the EEA.
In the case of third countries that do not provide an adequate level of personal data protection,
the data controller may transfer the data only if:
the data subject has given his/her written consent
the transfer is necessary for the performance of a contract between the data subject and the
controller or takes place in response to the data subjects request
the transfer is necessary for the performance of a contract concluded in the interests of the
data subject between the controller and another subject
the transfer is necessary or required by reason of public interest or for the establishment of
legal claims
the transfer is necessary in order to protect the vital interests of the data subject
the transfer relates to data which are publicly available.
Alternatively a data controller may apply for prior consent from the Polish Data Protection
Authority (GIODO) to transfer personal data to a third country which does not ensure at least the
same level of personal data protection as that in force in the territory of Poland. Such consent shall
be issued provided that the controller ensures adequate safeguards with respect to the protection
of the privacy, rights and freedoms of the data subject.
The above requirements, regarding transfer to a third country, do not apply to the transfer of
personal data required by legal provisions or by the provisions of any ratified international
agreement.

The Data Protection Act does not directly state what criteria determine whether a third country
ensures the proper level of protection of personal data. The general rule, under art. 47.1 of the
Act, states that a country of destination should ensure at least the same level of personal data
protection in its territory as that in force in the territory of Poland. The data controller is obliged
to evaluate whether the country of destination ensures the corresponding guarantees of data
protection himself.
It needs to be underlined that if there is any doubt about the level of protection in a third country
the data controller shall fulfil one of the prerequisites mentioned in the Act.
The Inspector General for Personal Data Protection does not issue any decisions acknowledging
third countries ensure an adequate level of personal data protection. The European Commission
decisions specifying which third countries ensure the proper level of data protection are
recognised and respected by the Polish data protection authority. The list currently embraces:
Argentina, Canada, Switzerland, Guernsey, the Isle of Man.
Additionally, transferring data between bodies with their seat in one of the EU Member States
and US companies participating in the safe harbour programme is treated as transfer between
countries that ensure an adequate level of personal data protection.
obtaining the authorisations enabling the transfer of data to a
third country?
The proceedings for issuing consent are carried out based on the regulations applicable to
administrative proceedings and are connected with minor formal requirements. It is necessary to
pay fees of PLN 10 for the issue of a decision, and PLN 17 for powers of attorney (if an attorney is
appointed to participate in the proceedings). An application to issue consent for a transfer should
specify:
the parties to the contract for data transfers
categories of the transferred data
the scope of data
the purpose for which and time the data are to be transferred
the means adopted to protect the rights of the individuals to whom the data relate (e.g.
Binding Corporate Rules or Standard Contractual Clauses)
technical means of securing data, which are applied by the receiving entity (security policy).

During the proceeding GIODO reviews the application and may demand additional information,
documents confirming the transferring parties ensured the appropriate level of protection to
personal data. This may significantly extend the proceedings. In practice the proceedings for
issuing consent may take from 1 to 6 months.

GIODO is aware of the EU standard contractual clauses (SCC) and Binding Corporate Rules (BCR),
however it needs to be underlined that the application of SCC or BCR does not provide an
automatic authorisation for data transfers.
Use of SCC or BCR may only facilitate obtaining GIODOs general consent for the personal data
transfer, serving as a proof that sufficient guarantees of personal data security were provided.

to other countries?
The Polish Data Protection Act does not contain specific provision regarding whistle-blowing
schemes. Poland has not implemented any act covering provisions of SOX.
GIODO recognises the opinion of Article 29 of the Data Protection Working Party on the
application of EU data protection rules to internal whistle-blowing schemes in the fields of
accounting, internal accounting, controls, auditing matters, fighting bribery, banking and financial
crimes. Nevertheless adopting whistle-blowing schemes in Poland must be in compliance with
the Polish law.
What are the rights of data subjects during the process of

transferring data?
Transferring personal data constitutes processing of personal data. Consequently during the
process of transferring their personal data, data subjects have the same rights as when their
personal data are processed. For instance, a data controller should inform a data subject about
data recipients (note: data processors are not regarded as data recipients), if they are known
when the data is collected.
21

GIODOs duty is to supervise the compliance of data processing with provisions on the protection
of personal data. In the case of any breach of the data protection laws in relation to personal
data transfer, GIODO may exercise its rights and order, by means of an administrative decision,
that the negligence be remedied, or suspend the flow of personal data to a third country, among
other things.
In the case of applications for GIODOs consent for transferring personal data to third countries,
GIODO may refuse to give its consent to a transfer to a country where the level of personal data
protection is not adequate.

these sanctions.
An infringement of the Data Protection Act can lead to civil liability (e.g. damages, including
moral damages), administrative liability and criminal liability.
If a controller of a data filing system or a person obliged to protect personal data discloses
them or provides access to unauthorised persons, it is liable to a fine, a penalty of restriction
liberty or depravation of liberty for up to two years.
As regards GIODOs decisions to order a discontinuance of data transfer, currently no sanctions
could be imposed for a failure to comply. As an auxiliary means, in exceptional cases, GIODO
notifies prosecution bodies (prosecutors) of identified breaches. Planned amendments to the
Data Protection Act include reinforcement of GIODO in terms of enforcement of legal regulations
by authorising it to impose fines on entities that fail to comply with GIODOs decisions (up to
100,000).
Romania

to another country?
Romanias regulatory framework on transferring personal data to other countries consists of the
Law no. 102/2005 on the setting up, organisation and functioning of National Supervisory
Authority for Personal Data Processing (Law 102).
Law no. 677/2001 on the protection of individuals with regard to the processing of personal
data and the free movement of such data (the Law); the Law implemented into national law
Directive 95/46/EC on the protection of individuals with regard to processing personal data
and on the free movement of such data.
Decision no. 28/2007 on the transfer of personal data to other countries (Decision 28).
Decision no. 167/2006 on the establishment of standard contractual clauses concerning
personal data transfer to a processor established in a country whose legislation does not
provide for protection at a level at least equal to that provided by Romanian law (Decision
167). Decision 167 implemented into national law European Commission Decision no.
16/2002 on standard contractual clauses for the transfer of personal data to processors
established in third countries, under Directive 95/46/EC.
Order no. 6/2003 on the establishment of standard contractual clauses concerning personal
data transfer to a data controller established in a country whose legislation does not provide
for protection at a level at least equal to that provided by Romanian law (Order 6).
Decision no. 11/2006 on establishing the categories of personal data processing
operations which are likely to present special risks to the rights and liberties of
individuals (Decision 11).
Convention regarding the protection of individuals against the automatic processing of their
personal data of 28 January 1981 that was ratified by Romania by Law no. 682 of 28
November 2001 (the 1981 Convention).
Decision no. 172/2007 on the adequate protection of personal data in Argentina.
Decision no. 173/2007 on the adequate protection of personal data provided by the
Canadian Personal Information Protection and Electronic Documents Act of 13 April 2000.
23
Decision no. 174/2007 on the adequate protection of personal data provided in Switzerland.
Decision no. 175/2007 on the adequate protection of personal data provided in Guernsey.
Decision no. 176/2007 on the adequate protection of personal data provided in the Isle of Man.
Decision no. 90/2008 on the recognition of an adequate level of protection of personal data
provided in Jersey.

Under the Law, personal data may be transferred to another country if Romanian regulations are
observed and the legislation of the country of destination provides an adequate level of
protection, at least equal to the protection granted under Romanian legislation. The countries
which are deemed to provide such protection are countries within the EU/EEA, and six additional
jurisdictions Argentina, Canada, Switzerland, Guernsey, Isle of Man, and Jersey (admitted on
the basis of a decision of the European Commission).
The Romanian data protection authority may authorise the personal data transfer to another
state that does not have at least the same protection level as offered under Romanian legislation,
provided that the data controller offers enough guarantees regarding the protection of
fundamental individual rights. Such guarantees have to be included in contracts concluded
between the data controller and the legal or natural entities that ordered the transfer, upon
adequate contractual clauses.
Under Decision 167 and Order 6, the Romanian data protection authority may prohibit or
suspend a transfer made by a Romanian-based data controller to a non-EU/EEA processor or
non-EU/EEA data controller in any of the following cases, provided that the data transfer subject
did not expressly consent to such a transfer:
The national law of a non-EU/EEA data processor or the non-EU/EEA data controller requires
such a data processor or data controller to disregard the applicable standard contractual clauses.
The data transfer might imply non-observance of standard contractual clauses, and therefore
the transfer is likely to prejudice the data transfer subject.
A competent authority assessed that the data processor did not observe the contractual clauses.
The exceptions provided above regarding transfer of personal data abroad do not apply if the
data processing is made exclusively for journalistic, literary or artistic purposes, if the data were
made public by the data transfer subject, or if such data is closely related to the public status of
the data transfer subject or of the facts the data transfer subject is involved in.

another country?
In all cases, the transfer of personal data to another country will be subject to a prior notification
submitted with the Romanian data protection authority.
When transferring personal data to any EU/EEA country, or to any of the six jurisdictions which
were recognized as having an adequate level of protection, there is no need for the data
protection authority to approve the transfer.
Transfers of personal data to non-EU/EEA countries (other than the six jurisdictions), have to be
notified to and also approved by the data protection authority.
As mentioned above, the data protection authority may authorise the personal data transfer to
another state that does not have at least the same protection level as that offered by Romanian
legislation, provided that the data controller offers sufficient guarantees regarding the protection
of fundamental human individual rights.

The Romanian data protection authority assesses an adequate level of protection in the light of
all the circumstances surrounding a data transfer operation, particular consideration being given
to i) the nature of the personal data transferred, ii) the country of origin and the country of
destination, iii) the legislation of the destination country, and iv) the scope and duration of the
proposed personal data processing operation.
another country?
For EU/EEA countries, and the six jurisdictions recognised as having an adequate level of
protection (i.e. Argentina, Canada, Switzerland, Guernsey, Isle of Man, and Jersey), the transfer
takes place upon submission of the notification. The Law does not provide for a specific delay
when such a notification must be submitted.
When data is to be transferred to non-EU/ non-EEA countries, other then the 6 afore-mentioned
jurisdictions, approval from the Romanian data protection authority must be issued in this regard.
As a result, the transfer shall be enabled as of the moment such approval was officially issued by
the Romanian data protection authority. Such approval is issued within at least 30 days of the
moment of giving notice of the transfer.
There is no cost involved in obtaining the authorisation enabling the transfer of personal data to
other countries.

As previously mentioned, the Romanian data protection authority may authorise the personal
data transfer to another state that does not have at least the same protection level as offered
under Romanian legislation, provided that the data controller offers sufficient guarantees on the
protection of fundamental human individual rights. Such guarantees have to be included in
contracts concluded between a Romanian-based data controller and legal or natural entities who
ordered the transfer, upon adequate contractual clauses.
The standard contractual clauses provided for in Decision 167 apply to the transfer of personal
data to non-EU/EEA recipients, who act only as processors.
The standard contractual clauses established by Order 6 apply to the transfer of personal data to
non-EU/EEA recipients, who act only as data controllers.
Under Decision 167 and Order 6, if required, the data controller and/or the data processor shall
submit a copy of such contractual clauses to the Romanian data protection authority.

to other countries?
Under Romanian data protection regulations, there are no specific regulations regarding
whistle-blowing hotlines. However, we believe that the personal data of the individuals who
intend to reveal wrongdoings within organisations are protected under the Law.
25
As a rule, the existing whistle-blowing hotlines in Romania (e.g. Child Phone Association,
Romanian General Anticorruption Directorate) are bound by confidentiality rules regarding the
information they can collect and pass on to competent authorities. The data subject shall also
have the right to be informed, to access the data, to intervene and to object to his/her data
processing/transfer, under the Law.
The personal data of such individuals is not revealed to the public.
transferring data?
When personal data is transferred abroad, the data transfer subjects have the following main
rights provided for in the Law and in the standard clauses:
To be informed of the scope of the transfer, the recipients of his/her data, the data
controllers identity, etc.
To have access to his/her data.
The right of intervention over his/her data (e.g. rectification, updating, blocking or deletion of
data whose processing does not comply with the provisions of the Law and of standard
clauses, especially of incomplete or inaccurate data).
The right to object at any moment, based on justified and legitimate reasons linked to his/her
particular situation, to processing data regarding himself/herself, except for the cases of
specific contrary legal provisions.
The right to refer to a court of law.
To invoke against the Romanian-based data controller and/or foreign data processor/data
controller, the Beneficiary Third Party clause stipulated in the standard clauses under
Decision 167 and Order 6 (e.g. to be provided with a copy of the standard clauses, to be
indemnified by a data controller and/or by a data processor in case of prejudice due to
infringement of the Beneficiary Third Party clause, etc).
To be represented, upon his/her request, by an association or by other persons, if the law
allows it.

Under the Law and Law 102, the main rights of the Romanian data protection authority are
as follows:
The right to be notified in advance in relation to any transfer of personal data to other
countries. Also, the authority may investigate, ex officio, any infringement of a data transfer
subjects personal rights or of data controllers and/or processors obligations, with the
purpose of protecting the rights and fundamental liberties of data transfer subjects. At any
time, the Romanian data protection authority may require data controllers/processors to
provide further information on the transfer of personal data.
The right to assess the level of protection ensured in the regulations of countries where the
transfer of personal data is to be made.
The right to approve the transfer of personal data to a country which is not considered to
ensure a level of protection at least equal to that provided by Romanian regulations, by
assessing the guarantees established by data controllers.
The right to prohibit or suspend the transfer performed by a Romanian-based data controller
to a non-EU/EEA processor or non-EU/EEA data controller in a number of cases, as
mentioned at point 2 above.
The Romanian data protection authority is entitled to make a prior check if it determines that
the processing of personal data involves special risk to the rights and liberties of individuals,
including cases of transfer of personal data abroad. As a rule, within a 30-day period from
the notification date, the authority is obliged to issue a decision in this regard, assessing the
risks involved as per Decision 11.
Under Decision 167, the Romanian data protection authority has the right to check the
contractual clauses used by a data processor established in a country whose legislation does
not provide for a protection level at least equal to that provided by Romanian law, in the
same conditions applicable to Romanian-based data controllers.

perspective? Please elaborate on the enforceability of these
sanctions.
Under the Law, infringements of data transfer requirements are sanctioned as minor offences,
unless they represent criminal offences. The Law provides for the following offences:
The data controllers failure to notify the Romanian data protection authority before
transferring personal data to another country, filing an incomplete notification or a
notification containing false information. These offences are fined from RON 500 (125) to
RON 10,000 (2,500).
The data controllers and processors failure to observe the confidentiality and security of data
processing obligations. This offence is fined from RON 1,500 (375) to RON 50,000 ( 12,500).
Refusal to provide the data protection authority with any information or documents
requested during an investigation regarding the transfer of personal data abroad. This
offence is fined from RON 1,000 (250) to RON 15,000 (3,750).
Illegal processing of personal data is fined from RON 1,000 (250) to RON 25,000 ( 6,250).
In our experience, when provisions of the data protection regulations have been infringed, the
Romanian data protection authority recommends a remedy of the infringed legal provisions in a
specific timeframe. The fines are only imposed as a last resort. The data controller may challenge
the findings of the Romanian data protection authority in the courts at any time. During the court
proceedings, the enforcement of the Romanian data protection authoritys findings is suspended
by law.
27
Russia
What is the regulatory framework for transferring personal data

to another country?
The main regulations for transferring personal data to another country can be found in the
Federal Law On Personal Data (27 July 2006, No 152-FZ) (hereinafter the Personal Data
Protection Act). General regulations on personal data protection can be found in the Russian
Constitution (12 December 1993), the Russian Labour Code (30 December 2001, No 197-FZ) and
other applicable legal acts.
NOTE: The Personal Data Protection Act came into force in January 2007. Prior to the
introduction of this Act, personal data protection was not regulated by any specific federal
legislation. This legal act is still new and administrative practice related to its implementation only
began to develop in 2009.
The Personal Data Protection Act applies to any entity that processes personal data.
Processing of personal data means actions (operations) involving personal data, including the
collection, systematisation, accumulation, safe-keeping, verification (updating and amendment), use,
dissemination (including transfer), depersonalisation, blocking and destruction of personal data.
Cross-border transfer of personal data is the transfer of personal data by an operator across
Russias state border to a body in a foreign state, an individual or a legal entity.
The Personal Data Protection Act does not apply to:
processing personal data exclusively for personal and family needs
archiving documents containing personal data pursuant to the Russian legislation on
archive-keeping
processing data in relation to individuals registered as individual entrepreneurs in connection
with their business activities
processing personal data concerning state secrets.

controller?
The law introduces categories of personal data, the processing of which is prohibited as a
general rule:
Special categories of data (sensitive data) personal data concerning racial and/or national
background, political outlook, religious or philosophical convictions, state of health, intimate
life and criminal convictions.
The processing of sensitive data such as personal data concerning racial and/or national
background, political outlook, religious or philosophical convictions, state of health or intimate
life is only permitted in cases where the personal data subject has given written consent to the
processing of his/her personal data.
Nevertheless there are some exceptions that allow the processing of such data without the data
subjects consent. These exceptions include situations where:
the sensitive data is publicly available
the sensitive data concerns the health of the personal data subject, and its processing is
necessary for the protection of his/her life, health or the vital interests of other people, and it
is impossible to obtain consent from the personal data subject
the processing of sensitive data is for medical purposes and is carried out by a medical
professional, provided that medical confidentiality is observed
the processing of sensitive data is required for judicial proceedings or investigative activities
the processing of sensitive data is exercised in accordance with the Russian legislation
concerning public security and law enforcement activities.
NOTE: The processing of personal data on criminal convictions may be performed only by state
authorities or municipal authorities within the limits of the powers vested in them in accordance
with Russian legislation, as well as by other parties in cases and according to the procedure
determined in accordance with federal laws.

another country?
NOTE: Russian law does not distinguish between data controller and data processor or between
data exporter and data importer as prescribed by the European legislation. Russian law uses the
general term operator. Operator means a state body, legal entity or individual that processes
personal data and determines the goals and content of personal data processing. Russian law
provides for general requirements for all operators of personal data regardless of whether the
operator is a controller, processor, exporter or importer of data.
Under the Personal Data law, before transferring personal data abroad the operator must make
sure that the relevant country provides for an adequate level of the protection of the rights of the
personal data subjects.
Cross-border transfer may be banned or limited for purposes of protecting the constitutional
system, morality, health, rights and the legal interests of citizens, ensuring defence and
state security.
The legal requirements for transferring personal data to another country are:
obtaining the data subjects explicit and informed consent.
29
In giving his/her consent for his/her personal data to be processed, a personal data subject is
entitled to receive information on the methods of personal data processing used by the operator,
data on persons who have access to the personal data or who may be given such access, the time
limits for personal data processing, the legal consequences that the processing of his or her
personal data may entail vis-a-vis the subject of personal data. A personal data subject is
therefore entitled to receive information on the operator or on any third party (group company or
a processing company that processes his/her personal data).
The obligation to furnish proof of obtaining the personal data subjects consent for processing
his/her personal data rests upon the operator.
Some exceptions under which personal data can be processed without the personal data
subjects consent are as follows:
the processing is exercised on the basis of a federal law, e.g. legislation on investigative
activities, security and criminal enforcement
the processing is necessary for the performance of an agreement to which the personal
data subject is a party. Nevertheless, if an operator processes personal data for purposes
other than just the performance of the agreement, the personal data subjects consent
should be obtained
the processing is for certain statistical or scientific purposes, provided that the personal
data is depersonalised
the processing is carried out for postal or telecommunication purposes
the processing concerns personal data that is publicly available in accordance with federal
legislation.
Ensuring confidentiality and the safety of the data.
The Personal Data Protection Act provides for general requirements while processing data to any
third party within Russia or abroad. Under the law, an operator may entrust a third party with the
processing of personal data under an agreement. The essential term of the agreement shall be
the third partys obligation to ensure the confidentiality of personal data and the security of the
personal data being processed. Third parties shall independently satisfy the legal requirements for
processing personal data. Under the law, should an operator receive personal data from a source
other than the subject of the personal data, the latter is entitled to receive all the necessary
information about the company that will directly operate his/her data (the name and address of
the company, the goal of personal data processing etc.).
The processing of personal data should ensure the following:
the prevention of unauthorised access to the personal data and/or its transfer to persons
not authorised to access it
the timely detection of any unauthorised access to the personal data
the prevention of the hardware being affected by automated personal-data processing
tools which may disrupt its operation
the immediate restoration of personal data that has been modified or destroyed as a result
of unauthorised access
the permanent monitoring of the adequate protection of personal data.
Storing the data within a limited time period.
The Russian Data Protection Act does not establish particular restrictions as to the term of
storage of information. Personal data may be stored until the fulfilment of the purpose for which
they have been collected, after which the operator must destroy the data within three working
days, unless prescribed otherwise by the law.
Following technical measures (encryption/cryptography devices).
Any operator shall, in processing personal data, be obliged to take the organisational and
technical measures required under Russian law. This may include using encryption (cryptographic)
facilities, protecting personal data against any illegal or accidental access thereto, the destruction,
alteration, blocking, copying, dissemination of personal data, as well as against other illegal
actions. Special Russian Government Resolutions and instructions of the Russian Federal Security
Service describe in detail which measures should be taken by operators.
Notifying the authorised data protection authority
An operator is to send a notification to the Russian Data Protection Authority (Roskomnadzor)
(hereinafter the Data Protection Authority) of its any intention to process personal data
irrespective of whether cross-border transfer will take place or not.
No official document is required from the Data Protection Authority to start processing personal
data. There is no requirement to provide regular updates.
The notification should be made in writing, signed by an authorised person and sent by mail or
by electronic mail verified by the registered electronic signature of an authorised person.
The notification procedure is free of charge for the operator.
The notification should be submitted to the territorial branch of the Data Protection Authority.
There is no obligation to notify the Data Protection Authority in cases where:
the personal data concerns personal data subjects who have an employment relationship
with the operator
the personal data is processed exclusively for the purposes of an agreement between the
personal data subject and the operator. However, if an operator processes personal data for
other purposes than just the performance of an agreement, the notification should be sent to
the Data Protection Authority
the personal data includes only surnames, names, and patronymics of personal data subjects
the personal data is included in public information databases.

An adequate level of protection of personal data means the confidential data security level that
the relevant foreign authority can ensure under the local laws and which is not lower than the
confidential data security level provided for under Russian law.
The main requirement for cross-border transfers of personal data is that the destination country
provides for an adequate level of protection concerning the rights of personal data subjects.
Personal data may be transferred to a country that does not provide an adequate level of
protection (to third countries) in the following cases:
the personal data subject has given his/her written consent to the transfer
the transfer is permitted by international or bilateral treaties
the transfer is permitted by federal laws on the grounds of protection of the constitutional
system of Russia and state security
the transfer is necessary for the performance of an agreement to which the personal data
subject is a party
the transfer is necessary for the protection of the life, health and vital interests of the
personal data subject or other persons, and it is impossible to receive written consent from
the data subject.
NOTE: The procedure for identifying which country can be classified as a country providing the
necessary level of data protection has not yet been established. Currently there is no list of
approved countries.
31
In the unofficial opinion of the Russian Personal Data Protection Authority, member-countries of
the Convention for the protection of individuals regarding the automatic processing of personal
data (28 January 1981 ETS No108) are supposed to be regarded as countries providing an
adequate level of personal data protection.
Also, countries that adopted global laws on the protection of personal data may be considered as
providing an adequate level of protection, such as Andorra, Argentina, Israel, Canada, Norway,
Japan, etc.
another country?
Under Russian law no official authorisation is required to transfer personal data to another country.

(BCR) recognised in your jurisdictions? If not, please explain why?
EU standard contractual clauses and/or Binding Corporate Rules (BCR) are not recognised in
Russia. Russia is not a member of the European Union. Thus, neither standard contractual clauses
nor Binding Corporate Rules (BCR) are applicable in Russia.
NOTE: European regulations have had a great impact on the Russian personal data protection
legislation. Namely, when drafting the Russian Personal Data Protection Act, lawmakers based
themselves on the Convention for the protection of individuals with regard to the automatic
processing of personal data of 1981 and on the EU Directive 95/46/EC of 1995 on personal
data processing. Russian Personal Data Protection Act, therefore, has a lot in common with
European legislation.

to other countries?
The Russian Data Protection Authority has not issued any official opinion on whistle-blowing
hotlines at the moment.
transferring data?
The rights of the data subjects during the process of transferring data are:
to obtain information about the operator, its location and the personal data in its possession
which concerns the particular personal data subject, as well as to become acquainted with
this data
to demand that the operator specify his/her personal data, block or destroy it in the event
that the personal data is incomplete, outdated, inaccurate, illegally obtained or is not essential
to the declared goal of processing, as well as to take measures envisaged under the law to
protect his/her rights
to know the reason for processing, the time limits for keeping the data, as well as the
consequences of processing
to appeal against the actions or inaction of the operator to the Data Protection Authority or
in a judicial procedure, if the personal data subject considers that the operator is processing
his or her personal data in violation of the requirements of the law.

The law determines the Federal Communications Supervision Service (Roskomnadzor) as the state
authority that should ensure general supervision over the compliance of personal data operators
with the law.
The Data Protection Authority shall be entitled:
to demand that the operator update, block or destroy inaccurate or illegally obtained
personal data
to suspend or terminate the processing of personal data effected in violation of the
requirements of Russian law
to apply to the court with statements of claim to protect the rights of the personal data
subjects and represent their interests in court
to file applications with the body licensing the activity of the operator to consider taking
measures to suspend or annul the licence in a procedure established under Russian law, when
the prerequisite of the licence to conduct that activity is a ban on the transfer of personal
data to third persons without the consent in writing thereto of the personal data subject
to send to the prosecution bodies and other law enforcement bodies material needed for
legal proceedings on the basis of elements of crime associated with the violation of the
personal data subjects rights, in accordance with the relevant legislation
to bring persons guilty of violating the Personal Data Protection Act to administrative
responsibility.

and how likely are they to be applied from the practical perspective.
Please elaborate on the enforceability of these sanctions?
Under the Personal Data Protection Act, an infringement of a personal data subjects rights
can lead to civil liability (e.g. damages, including moral damages), administrative liability and
criminal liability:
The Russian Code on Administrative Violations provides for several administrative violations
relating to data protection. For example, a breach of the legal requirements relating to the
collection, storage, use or distribution of personal data may lead to a fine of up to RUR
10,000 (approximately 250) for legal entities.
The Russian Criminal Code also provides for criminal offences related to data protection. For
example, the violation of personal privacy may lead to a fine of up to RUR 200,000 (4,800),
mandatory public works for up to 180 hours, or detention for up to four months.
NOTE: In most cases, companies are fined according to the Code of Administrative Violations for
failure to notify the Data Protection Authority of processing personal data.
Summary
The Personal Data Protection Act authorises companies to collect, use, store or otherwise
process personal data only for the specific purposes set forth in the law of with the
individuals consent. The operator must ensure personal data confidentiality in accordance
with the requirements for security and storage conditions established by the Russian
government. The only exceptions are depersonalised data and personal data for public use.
33
There are also restrictions on the transfer of personal data outside Russia. Although
companies may freely transfer personal data to countries that adequately protect data
subjects rights, there is currently no list of approved countries. In addition, personal data may
be transferred to any country, regardless of the level of personal data protection the recipient
country offers, with the written consent of the individual concerned. The law grants
individuals and their representatives the right to access the individuals personal data and to
object to processing the data.
Cross-border transfers are not very well regulated. At the moment the Data Protection
Authority has no mechanism to really control heavy flows of personal data of Russian citizens
that are stored abroad in the global databases of big companies. There will probably be
amendments to the Personal Data Protection Act in the near future regarding the powers of
the Data Protection Authority on this issue.
Russian legislation on personal data protection is still new. Although it is similar in style to
data protection laws in the European Union, enforcement authorities themselves have many
questions and discrepancies as to the application of the Personal Data Protection Act.
Compliance with the act may prove to be challenging because of its burdensome
requirements, possible inconsistencies with other Russian laws and lack of interpretation. Plus
the Personal Data Protection Act provides a number of exceptions to the notification
requirements, but many companies are required to notify the authorities.
Slovakia

to another country?
The regulatory framework on transferring personal data to another country is provided in Act No.
428/2002 Coll. on Protection of Personal Data (further as the Act on Protection of Personal
Data) which implemented the Directive of the European Parliament and Council of 24 October
1995 on the protection of individuals with regard to processing personal data and on the free
movement of such data.
Commission decision No. 2002/16/ES of 27 December 2001, Commission decision No. 2001/497/
ES of 15 June 2001 and Commission decision No. 2004/915/ES of 27 December 2004 on
standard contractual clauses apply with regard to the transfer of data to third countries.

country; e.g. due to the type of data or the type of data
controller?
First of all, controllers contemplating a transfer of personal data must decide whether the
personal data will be transferred within the EU or to third countries. Transferring data between or
to European Economic Area countries, or countries that ensure an adequate level of personal
data protection is treated as a transfer inside EU Member States.
There are no bans on the transfer of personal data, but several conditions need to be fulfilled, e.g.:
a written contract on transferring the personal data should be concluded
the consent of the data subject to transferring the personal data should be obtained by the
controller
the consent of the Office for Personal Data Protection of the Slovak Republic to the transfer
should be obtained
35
These conditions vary depending on the country where the personal data are to be transferred,
and if they are going to be transferred to a controller or to a processor.

another country?
The legal requirements for transferring personal data vary depending on the country where the
personal data are to be transferred. There are several regimes of transfer requirements as
described below:
Transfer of personal data within third countries ensuring an adequate level of
protection of personal data
this regime applies, when transferring to Switzerland, Canada, Argentina, Guernsey, Isle of Man
a written contract on transferring personal data needs to be concluded between the transfer
parties and the data subjects consent to processing their personal data is needed
if the controller contemplates a transfer of personal data before obtaining the personal data
to a country which ensures an adequate level of protection, he is obliged to inform the data
subjects about such transfer and obtain their consent to such transfer before the transfer starts
if the controller contemplates a transfer of personal data to a processor after obtaining the
data, the controller has to inform the data subjects about such transfer within 3 months of
concluding the written contract with the processor
if the controller contemplates a transfer of personal data to another controller after obtaining
the data, the consent of the data subjects is needed before the transfer starts.
Transfer of personal data within member states of the European Union
the transfer of data is not restricted
the same condition applies as for the transfer of data to third countries ensuring an adequate
level of protection.
Transfer of personal data to third countries not ensuring an adequate level of personal
data protection
a written contract for transferring personal data which contains standard contractual clauses
must be concluded between the transfer parties
the transfer may be executed only on the condition that the data subject has consented to it
in writing, or it is necessary for performing a contract between the data subject and the
controller, or for performing an international treaty binding for the Slovak Republic, or it is
necessary for the protection of vital interests, or it concerns personal data which is already in
publicly accessible files.
if the data is transferred from a controller to a processor, the consent of the Office for
Personal data Protection of the Slovak Republic is needed
if a controller or processor in the USA has joined the safe harbour programme, the written
contract does not need to contain standard contractual clauses.

Under Slovak law a country with an adequate level of protection means any country where the
legislation provides regulation of personal data protection comparable to the Slovak legal system.
When evaluating the adequacy of the level of personal data protection in cross border data
transfers the Office for Personal Data Protection of the Slovak Republic has the paramount role.
The office is entitled to evaluate the level of protection in the target country based on the
information obtained from international cooperation with similar supervisory bodies abroad and
decide whether the target country may be considered as providing an adequate level of protection.
another country?
Consent enabling the transfer of personal data to another country (when needed) from the
Office for Personal Data Protection of the Slovak Republic may be obtained free of charge and
should be granted without undue delay, but no longer than 30 days after the application is
submitted by a controller.

Yes, EU standard contractual clauses and Binding Corporate Rules are recognised in the Slovak
Republic.
The Slovak Republic is bound by the following European Commission decisions:
Commission Decision of 27 December 2001 on standard contractual clauses for the transfer
of personal data to processors established in third countries, under Directive 95/46/EC.
Commission Decision of 15 June 2001 on standard contractual clauses for the transfer of
personal data to third countries, under Directive 95/46/EC.
Commission Decision of 27 December 2004 amending Decision 2001/497/EC as regards the
introduction of an alternative set of standard contractual clauses for the transfer of personal
data to third countries.
Binding Corporate Rules may be adopted, however they must not amend national regulations
on personal data protection, they may only supplement national legislation.

to other countries?
The Slovak Act on Protection of Personal Data does not contain any provision regarding whistleblowing hotlines. Whistle-blowing hotlines are not regulated in Slovakia. The general provision
regarding the transfer of data should apply in this case as well.
transferring data?
Transferring personal data is assumed to be a part of processing the personal data. Therefore
during the process of transferring the personal data, a data subject has the same general rights
as when its personal data are processed, e.g.:
The data subject may request from the controller:
information on the status of processing his personal data in the filing system, information on
the source from which the controller obtained the personal data,
a copy of his personal data, rectification of any inaccurate, incomplete or out-of-date data
which is being processed,
destruction of his personal data.`
37
In some cases, the data subject may file objections to the controller:
if his personal data is processed, used or provided for the purposes of direct marketing
if the controller makes a decision which has legal effects on the data subject or significantly
affects him, the data subject may refuse to submit to such decision
if the controller wishes to transfer the data to a third country which does not ensure an
adequate level of personal data protection, the data subject may refuse to consent to it.

If the consent of the Office is necessary for transferring personal data, the Office may refuse to
consent to the transfer, if the level of protection of personal data in the third country is not
adequate.
At the same time however, the Office checks whether the application fulfils the conditions,
in particular:
unconditional acceptance of contractual clauses
accuracy, completeness of submitted information, appointment of a person in charge on
behalf of the controller
where the parties are part of a multinational corporation, whether Binding Corporate Rules exist
the purpose of transferring data and its necessity for the controllers contemplated
transactions
whether sensitive data are to be transferred
period and security of personal data processing.
The Office could issue a binding decision, if the processor is in doubt about the eligibility of
transferring personal data to third countries.

these sanctions.
The Office may impose a fine from SKK 1,660 EUR to 165,970 EUR on a controller or processor
which:
transferred, processes or processed personal data, or failed to fulfil any of the obligations
regarding the transfer of personal data to third countries.
If the Office determines that the obligation stipulated in the Act on Protection of Personal Data
was breached, it may disclose the business name, registered office and identification number of
the person who committed the illegal action jointly with the verdict.
Despite its own decision-making and sanction powers, the Office first employs preventive
measures with respect to entities processing personal data. As a rule, the Office tries to resolve
any identified breaches or other deficiencies by using milder measures such as recommendations
and measures to remedy deficiencies.
Financial sanctions or disclosure of data concerning breaches are only resorted to in the case of a
major infringement of law.
Ukraine

to another country?
There is no separate law in Ukraine which regulates the protection of personal data, including the
transfer of personal data to another country. For several years there have been efforts to enact a
Personal Data Protection Act, the last being in 2009, however, although the draft law was passed
by the Parliament after the first reading, there has been no further progress since.
In view of this, personal data protection is governed by the general legislation on information,
including the Constitution of Ukraine, Civil Code of Ukraine, the Law of Ukraine On
Information (the Information Law) and some other legislation.
Along with the regulations adopted within the country, certain provisions of international
agreements and treaties may contain references to cases when the information on personal data
may be transferred to another country.

controller?
Personal information comes under the protection of both the Constitution of Ukraine and the
Information Law. Under the Constitution of Ukraine, the collection, storage, dissemination and
use of personal data without the consent of the individual involved is prohibited except for cases
(i) when it is explicitly provided for by law, and (ii) where the data is necessary for the purpose of
maintaining national security, economic welfare and for the protection of human rights.
The Ukrainian Parliament has adopted a Personal Data Protection Law that will become effective from 1 January
2011. The information on Ukraine provided in the Guide is valid only until that date.
39
Moreover, under the Information Law, when collecting and disseminating personal data, the
individual has a right to know the purpose of the information collection and dissemination and
may also access the information and object to any errors.
Thus, due to the lack of separate legislation in Ukraine in the sphere of personal data protection,
the general rules shall apply and, therefore, any transfer of personal data abroad must have the
relevant individuals consent unless the exemptions mentioned above apply.

another country?
There is no general procedure which may be applied to all cases of personal data transfer to
another country. Normally, the transfer of personal data abroad is provided for by mutual
international agreements between the Ukrainian government and the government of the
particular country. The procedure may vary from agreement to agreement, depending on factors
such as, for example, the economic sector in which the international agreement was concluded,
the level of information required, etc.

The applicable laws do not provide for a definition of the term adequate level of personal data
protection. However, the Information Law imposes general confidentiality standards on owners
of information (data) and determines the general legal principles for receiving, using, distributing
and keeping information.
another country?
Please refer to the answer to question 3 as regards procedural issues. With respect to the costs,
usually the transfer of personal data, when applicable, is conducted on a cost-free basis.
However, exemptions may be provided for by the relevant international agreements.

Officially, only laws of Ukraine, including international treaties duly ratified by the Ukrainian
Parliament, are recognised as the official source of law, therefore, EU standard contractual clauses
and BCRs are not recognised as official sources. However, so long as EU contractual clauses and/
or BCRs are not in conflict with Ukrainian law, they may be applied by the respective parties upon
their mutual agreement.
transferring data?
In accordance with the Information Law, the participants in an information relationship shall have
the right to receive (produce, obtain), use, disseminate, and store information in any form, using
any means, except in cases envisaged by law. Furthermore, the respective individual has a right to
know the purpose of the information collection and dissemination as well as access the
information and object to any errors.

There is no single governmental body in Ukraine responsible for personal data protection. As
described above, the issue of personal data transfer abroad usually falls under the regulation of
separate international agreements between Ukrainian governmental authorities and those of the
respective foreign country. Thus, in each particular case the respective Ukrainian governmental
body which entered into the international agreement will have certain rights and obligations as
provided for by the relevant agreement.

perspective. Please elaborate on the enforceability of
these sanctions?
The Information Law allocates responsibility for breaches of information laws, which shall entail
disciplinary and administrative liabilities, as well as criminal prosecution in accordance with the
laws of Ukraine.
Responsibility for breaches of information laws shall be borne by persons that own personal
information and are found to have used and/or disseminated information relating to a persons
private life without that persons express consent.
Criminal liability
According to the Criminal Code of Ukraine, criminal liability is applied to:
any illegal collection, storage, use or dissemination of confidential information about a person
(personal data) without his or her consent
any illegal storage, use or dissemination of confidential information about a person without
his or her consent by means of the operation of computers, computer systems and networks.
The criminal offences, as provided above, may be punishable by fines (up to UAH 1700 (ca. EUR
150)), correction (community) works, restriction of liberty or imprisonment. The punishment
depends on the consequences of the individuals illegal actions, the identity of the offender, etc.
Administrative liability
Under the Code of Administrative Offences of Ukraine, the following is punishable:
collection, storage, use or dissemination of confidential or commercial information about a
person, without his or her consent, with the purpose of harming the reputation of their
business or property
violating the permitted use of confidential information, distributing such information by
means of informative networks, on paper, magnetic and other transmitters.
Administrative infringements are punishable by fines which are currently rather low (up to 200).
However, in practice such fines may well be applied.
41
Contacts
BULGARIA
David Butts
CMS Cameron McKenna EOOD
Soravia Centre
24 Paleologu Street
14 Tsar Osvoboditel Blvd.
Sector 3, Floor 2
030552 Bucharest
1000 Sofia , Romania, Bulgaria
T +359 2 921 9910
F +359 2 921 9919
E david.butts@cms-cmck.com
THE CZECH REPUBLIC

Tomas Matejovsky
CMS Cameron McKenna v.o.s.
Palladium
Na Po 1079/3a
110 00 Prague
Czech Republic
T +420 296 798 111
F +420 221 098 000
E tomas.matejovsky@cms-cmck.com
Helena Hailichova
CMS Cameron McKenna v.o.s.
Palladium
Na Po 1079/3a
110 00 Prague
Czech Republic
T +420 221 098 887
F +420 221 098 000
E helena.hailichova@cms-cmck.com
HUNGARY
Dr Dra Petrnyi
Ormai s Trsai CMS Cameron
McKenna LLP
YBL Palace, 3rd Floor
Krolyi Mihly utca, 12
H-1053 Budapest, Hungary
T +48 22 5205 555
F +48 22 5205 556
E andrzej.krasuski@cms-cmck.com
POLAND
Dr Andrzej Krasuski
CMS Cameron McKenna Dariusz Greszta
Spka Komandytowa
Warsaw Financial Center
ul. Emilii Plater 53
00-113 Warsaw, Poland
T +48 22 520 5555
F +48 22 520 5556
E andrzej.krasuski@cms-cmck.com
Marcin Lewoszewski
CMS Cameron McKenna Dariusz Greszta
Spka Komandytowa
Warsaw Financial Center
Ul. Emilii Plater 53
00-113 Warsaw Poland
T +48 22 520 5525
F +48 22 520 5556
E marcin.lewoszewski@cms-cmck.com
ROMANIA
John Fitzpatrick
CMS Cameron McKenna SCA
24 Paleologu Street
Sector 3
030552 Bucharest, Romania
T +40 21 317 2279
F +40 21 317 2280
E john.fitzpatrick@cms-cmck.com
THE RUSSIAN FEDERATION

Leonid Zubarev
CMS Cameron McKenna LLP
Korobeynikov per. 1, bldg. 1A
119034 Moscow, Russia
T +7 495 258 5
F +7 495 739 33 55
E leonid.zubarev@cms-cmck.com
SLOVAKIA
Ian Parker
Ruika Csekes s.r.o.
in association with members of CMS
Vysok 2B
811 06 Bratislava
Slovakia
T +421 2 32 33 3444
F +421 2 32 33 3443
E ian.parker@cms-cmck.com
UKRAINE
Olexander Martinenko
CMS Cameron McKenna LLC
6th Floor, 38 Volodymyrska Street
01034 Kyiv
Ukraine
T +380 44 391 33 77
F +380 44 391 33 88
E olexander.martinenko@cms-cmck.com
Aberdeen
Edinburgh
Moscow
Hamburg
Bristol
Amsterdam
London Utrecht
Antwerp
Brussels
Paris
Stuttgart
Vienna
Strasbourg Munich
Zurich
Lyon
CMS offices
Ljubljana
Kyiv
Bratislava
Budapest
Zagreb
Belgrade Bucharest
Sarajevo
Milan
Rome
So Paulo
Buenos Aires
Montevideo
Beijing
Shanghai
Berlin
Warsaw
Leipzig
Duesseldorf
Dresden
Cologne
Prague
Frankfurt
Arnhem
Sofia
Madrid
Seville
Marbella
Algiers
Casablanca
43
CMS Cameron McKennas free online

information service
Receive expert commentary and analysis on
key legal issues affecting your business.
Register for free email alerts and access the
full Law-Now archive at www.law-now.com
CMS Cameron McKenna LLP
Mitre House
160 Aldersgate Street
London EC1A 4DD
T +44 (0)20 7367 3000
F +44 (0)20 7367 2000
CMS Cameron McKenna LLP 2010
The information held in this publication is for general purposes and guidance only and does not purport to constitute legal or professional advice.
CMS Cameron McKenna LLP is a limited liability partnership registered in England and Wales with registration number OC310335. It is able to
provide international legal services to clients utilising, where appropriate, the services of its associated international offices. The associated
international offices of CMS Cameron McKenna LLP are separate and distinct from it. We use the word partner to refer to a member, or an
employee or consultant with equivalent standing and qualifications.
Further information about the firm can be found at www.cms-cmck.com
CMS Cameron McKenna LLP is a member of CMS, the organisation of nine European law firms providing businesses with legal and
tax services in 27 jurisdictions, with 53 offices in Western and Central Europe and beyond. CMS aims to be recognised as the best
European provider of legal and tax services. Clients say that what makes CMS special is a combination of three things: strong, trusted client
relationships, high quality advice and industry specialisation. CMS combines deep local expertise and the most extensive presence in Europe with
cross-border consistency and coordination.
Registered address: Mitre House, 160 Aldersgate Street, London EC1A 4DD.
100908

CEE - International Data Transfers Guidev3 31 August

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

CEE - International Data Transfers Guidev3 31 August

Încărcat de

Drepturi de autor:

Formate disponibile

CMS_LawTax_CMYK_28-100.

The scope of the application of data protection regulations

4 | International data transfers: CEE Guide

Bans on transferring personal data to another country; e.g. due

What are the legal requirements for transferring personal data to

Describe how an adequate level of personal data protection is

Are EU standard contractual clauses and/or Binding Corporate

What is the approach of your national data protection authorities

6 | International data transfers: CEE Guide

What are the rights of the national data protection authority in

What are the sanctions for infringing data transfer requirements,

8 | International data transfers: CEE Guide

What is the regulatory framework on transferring personal data

Are there any bans on the transfer of personal data to another

What are the legal requirements for transferring personal data to

Please describe how an adequate level of personal data

10 | International data transfers: CEE Guide

In addition, an adequate level of personal data protection shall be deemed to be achieved in

Are EU standard contractual clauses and/or Binding Corporate Rules

What is the approach of your national data protection authorities

What are the rights of the national data protection authority in

What are the sanctions for infringing data transfer requirements,

12 | International data transfers: CEE Guide

What is the regulatory framework on transferring personal data

Are there any bans on transferring personal data to another

What are the legal requirements for transferring personal data to

Please describe how an adequate level of personal data

Are EU standard contractual clauses and/or Binding Corporate Rules

14 | International data transfers: CEE Guide

What is the approach of your national data protection authorities

16 | International data transfers: CEE Guide

What are the rights of the national data protection authority in

What are the sanctions for infringing data transfer requirements,

Criminal law issues

18 | International data transfers: CEE Guide

What is the regulatory framework on transferring personal data

Are there any bans on the transfer of personal data to another

What are the legal requirements for transferring personal data to

Please describe how an adequate level of personal data

20 | International data transfers: CEE Guide

Are EU standard contractual clauses and/or Binding Corporate Rules

What is the approach of your national data protection authorities

What are the rights of data subjects during the process of

What are the rights of the national data protection authority in

What are the sanctions for infringing data transfer requirements,

22 | International data transfers: CEE Guide

What is the regulatory framework on transferring personal data

Are there any bans on transferring personal data to another

What are the legal requirements for transferring personal data to

24 | International data transfers: CEE Guide

Please describe how an adequate level of personal data

Are EU standard contractual clauses and/or Binding Corporate Rules

What is the approach of your national data protection authorities

What are the rights of the national data protection authority in

26 | International data transfers: CEE Guide

What are the sanctions for infringing data transfer requirements,

What is the regulatory framework for transferring personal data

28 | International data transfers: CEE Guide

Are there any bans on transferring personal data to another

What are the legal requirements for transferring personal data to

30 | International data transfers: CEE Guide

Please describe how an adequate level of personal data

Are EU standard contractual clauses and/or Binding Corporate Rules