What is personal data transfer? When can I do it? Who are the parties involved in it?
Find out how the new Data Protection Law regulates this operation and what are its consequences in the following article.
Law No. 19,628 v/s New Data Protection Law
Law 19,628 does not regulate the personal data transfer agreement. En relation to the new law, the following differences can be seen:
| Law 19,628 | New Data Protection law |
|---|---|
| No regulation on personal data transfer. | Expressly regulates the transfer of personal data, defining it as the «transfer of personal data by the data controller to another data controller». It requires that the data transfer be performed in writing or by any suitable electronic means, and that it must address certain matters (individualization of the parties, data to be transferred, etc.). |
What is personal data transfer?
The new Data Protection Law defines the transfer of personal data as a transfer of personal data by the data controller to another data controller.
Once the transfer has been completed, the recipient acquires the status of data controller for all legal purposes. The transferer, in turn, also maintains the status of data controller with respect to the data processing operations it continues to perform.
The main difference between a data transfer and a data processing agreement (mandato) is that, in the latter case, the data processor or agent (mandatario) processes the data on behalf and under the instructions of the data controller, whereas in the former, the controller-recipient can make its own decisions regarding the use of the data. Another important difference is that, as a general rule, the data processor or agent is prohibited from transferring or handing over the personal data entrusted to it unless the data controller has expressly and specifically authorized it to do so (Article 15 bis), whereas, in the case of the controller-recipient, this possibility will depend on the lawful basis it has for receiving and processing the data.
Who participates in data transfers?
In the transfer of personal data, two parties are involved, the controller-transferor and the controller-recipient.
- Controller-transferors of personal data are those data controllers who transfer personal data to another data controller.
- Controller-recipients are those who receive the transferred personal data with the purpose of acquiring the status of data controller.
Eventually, in those transfers where the data subject’s consent is required, there will be three parties involved in the transfer.
When can I transfer personal data?
The new Data Protection Law permits the transfer of personal data in the following cases:
- With the data subject’s consent and for the fulfillment of the purposes of the data processing.
- When the transfer is required for the fulfillment and performance of a contract to which the data subject is a party.
- When there is a legitimate interest of the controller-transferor or controller-recipient.
- When provided by law.
Requirements of the data transfer agreement
The new Data Protection Law sets out that the data transfer must be performed in writing or by any suitable electronic means, leaving record of:
- The parties.
- The data that will be transferred.
- The purposes of the data processing.
- Additional information or stipulations agreed upon by the controller-transferor and the controller-recipient.
The new Data Protection Lawstates that the processing of the transferred personal data must be carried out by the controller-recipient according to the purposes set out in the data transfer agreement.
Personal data transfer with consent of the data subject
Consent for the data transfer may be obtained in two points in time:
- At the time of collection of personal data.
- If consent for the data transfer was not requested at the time of collection, the new law requires that it must be obtained before the transfer takes place, this being considered a new data processing operation for all legal purposes.
The new Data Protection Law states that, in those cases in which a transfer of data is conducted without the data subject’s consent, it being required, the transfer will be null and void, and the controller-recipient must delete all the data received, without prejudice to the corresponding legal responsibilities.
Effects of the data transfer agreement
The new Data Protection Law states that, once the transfer is completed, the following legal effects are produced:
- The recipient acquires the status of data controller for all legal purposes.
- The transferor maintains the status of data controller with respect to the data processing operations it continues to perform.