Current regulatory context v/s Data Protection Bill
Regulating international transfers of personal data is nowadays a very necessary issue to address in order to ensure that personal data is processed in third countries with adequate levels of protection. The Bill comes to fill a gap, as our current law does not address this issue:
| Law No. 19,628 | Data protection bill |
|---|---|
| International data transfer is not regulated. It constitutes a processing of personal data and must therefore comply with the general rules applicable to any activity of processing. Data controllers must inform data subjects of any communication of their data to the public, which has been understood to include any international transfers of data to other persons or entities. | International transfers are specifically regulated. It is lawful in certain circumstances and grounds set forth by law. Rules are provided to determine the condition of “adequate country” to transfer data from Chile. |
What is an international transfer of personal data?
Although the Bill does not define what constitutes an international transfer of data, according to the purpose of its regulation, it can be considered as processing that involves the transmission of data outside the national territory.
An international transfer of personal data is considered to be a transfer in which:
- The data controller entrusts the data processing to a third party outside the national territory.
- The data processor delegates the data processing (in permitted cases) to a sub-processor outside the national territory.
- The data controller communicates personal data to a joint controller abroad.
- The data controller transfers the personal data to an assignee (new controller) abroad.
Who are involved in the international transfer of data?
International data transfers involve two parties: the transferor (or “exporters”) and the recipients (or “importers”) of personal data.
Data transferor are the data controller or data processor located in the national territory and that transfer the data outside of it.
Data recipients are the recipients of the data who are located in a third country (outside the national territory). Importers can be joint controllers, processors, sub-processors (if any) and also data assignees.
General rule for authorization of international data transfers
The Data Protection Bill provides for certain situations in which international data transfer operations are permitted. The most noteworthy are:
- When the transfer is made to a person, entity or public or private organization subject to the legal system of a country that provides adequate levels of protection of personal data.
- When the transfer of data is covered by contractual clauses or other legal instruments signed between the controller responsible for the transfer and the controller or processor who receives it.
- When a binding and certified compliance or self-regulation model is adopted.
- When there is express consent of the data subject to carry out a specific and determined international data transfer.
- When referring to specific bank, financial or stock market transfers.
- When the transfer is made between companies or entities of the same business group, in accordance with the terms of the Chilean Securities Market Law.
- When data must be transferred to comply with obligations assumed in international treaties or conventions that have been ratified by Chile and that are in force.
- When the transfer is necessary for the execution or performance of a contract between the data subject and the controller, or for the execution of pre-contractual measures adopted at the data subject’s request.
Identification of adequate countries
The first situation in which an international data transfer can be made without requiring the data subject’s consent, is when it is made to a person, entity or public or private organization subject to the legal system of a “country that provides adequate levels of protection of personal data”.
How it is defined a country which legal system provides adequate levels of data protection? It is understood that the legal system of a country has adequate levels of data protection when it complies with standards similar or higher than those set forth in the Data Protection Bill.
Who determines the compliance with this standard? The Agency shall determine the countries with adequate levels of data protection by means of a publication on its website. For the above, the following elements should be considered:
- The establishment of principles governing the processing of personal data.
- The existence of rules that recognize and guarantee the rights of data subjects and the existence of a jurisdictional or administrative public authority of control or protection.
- The imposition of information and security obligations on data controllers and data processors.
- The determination of liabilities in case of infringements.
Auditing of international data transfers by the Agency
The Bill set forth that the Agency must supervise and audit the operations of international transfers of personal data.
For the above, it has the authority to make recommendations, adopt conservative measures and, in qualified cases, temporarily suspend the transmission of data.
It corresponds to the data controller that made the international transfer to prove to the Agency that it was carried out in compliance with all the requirements set forth in the law.