International and digital commerce requires that information can be used by different players and in different places. Cross-border information flow and personal data transfer is an increasingly frequent and necessary activity for organizations. The new law will set forth important requirements for making these transfers. Find out in this article more about the international transfer of data.
Law No. 19,628 v/s New Data Protection Law
Regulating international transfers of personal data is nowadays a very necessary issue to address to ensure that personal data is processed in third countries with adequate levels of protection. The new Law comes to fill a gap, as our current law does not address this issue:
| Law No. 19,628 | Data protection bill |
|---|---|
| International data transfer is not regulated. It constitutes a processing of personal data and must therefore comply with the general rules applicable to any activity of processing. Data controllers must inform data subjects of any communication of their data to the public, which has been understood to include any international transfers of data to other persons or entities. | International transfers are specifically regulated. It is lawful in certain circumstances and grounds set forth by law. Rules are provided to determine the condition of “adequate country” to transfer data from Chile. |
What is an international transfer of personal data?
Although the new Law does not define what constitutes an international transfer of data, according to the purpose of its regulation, it can be considered as processing that involves the transmission of data outside the national territory.
An international transfer of personal data is considered to be a transfer in which:
- The data controller entrusts the data processing to a third party outside the national territory.
- The data processor delegates the data processing (in permitted cases) to a sub-processor outside the national territory.
- The data controller communicates personal data to a joint controller abroad.
- The data controller transfers the personal data to an assignee (new controller) abroad.
Who are involved in the international transfer of data?
International data transfers involve two parties: the transferor (or “exporters”) and the recipients (or “importers”) of personal data.
Data transferors are the data controller or data processor located in the national territory and that transfer the data outside of it.
Data recipients are the recipients of the data who are located in a third country (outside the national territory). Importers can be joint controllers, processors, sub-processors (if any) and also data assignees.
General rule for authorization of international data transfers
The New Data Protection Law provides for certain situations in which international data transfer operations are permitted. The most noteworthy are:
- When the transfer is made to a person, entity or public or private organization subject to the legal system of a country that provides adequate levels of protection of personal data.
- When the transfer of data is covered by contractual clauses or other legal instruments signed between the controller responsible for the transfer and the controller or processor who receives it.
- When a binding and certified compliance model is adopted.
- When there is express consent of the data subject to carry out a specific and determined international data transfer.
- When referring to specific bank, financial or stock market transfers.
- When data must be transferred to comply with obligations assumed in international treaties or conventions that have been ratified by Chile and that are in force.
- When the transfer is necessary for the execution or performance of a contract between the data subject and the controller, or for the execution of pre-contractual measures adopted at the data subject’s request.
Identification of adequate countries
The first situation in which an international data transfer can be made without requiring the data subject’s consent, is when it is made to a person, entity or public or private organization subject to the legal system of a “country that provides adequate levels of protection of personal data”.
How is it defined a country which legal system provides adequate levels of data protection? It is understood that the legal system of a country has adequate levels of data protection when it complies with standards similar or higher than those set forth in the new Data Protection Law.
Who determines the compliance with this standard? The Agency shall determine the countries with adequate levels of data protection by means of a publication on its website. For the above, the following elements should be considered:
- The establishment of principles governing the processing of personal data.
- The existence of rules that recognize and guarantee the rights of data subjects and the existence of a jurisdictional or administrative public authority of control or protection.
- The imposition of information and security obligations on data controllers and data processors.
- The determination of liabilities in case of infringements.
Auditing of international data transfers by the Agency
The new Law set forth that the Agency must supervise and audit the operations of international transfers of personal data.
For the above, it has the authority to make recommendations, adopt conservative measures and, in qualified cases, temporarily suspend the transmission of data.
It corresponds to the data controller that made the international transfer to prove to the Agency that it was carried out in compliance with all the requirements set forth in the law.