(103) Féadfaidh an Coimisiún a chinneadh, agus bheadh feidhm ag an gcinneadh sin ar fud an Aontais, go gcuireann tríú tír, críoch nó earnáil shonraithe i dtríú tír, nó eagraíocht idirnáisiúnta, leibhéal leordhóthanach cosanta ar fáil, rud a sholáthraíonn deimhneacht dhlíthiúil agus aonfhoirmeacht dhlíthiúil ar fud an Aontais maidir leis an tríú tír nó leis an eagraíochtaí idirnáisiúnta a mheastar go gcuireann siad leibhéal cosanta den sórt sin ar fáil. I gcásanna den sórt sin, féadfar sonraí pearsanta a aistriú chuig an tír sin nó chuig an eagraíocht idirnáisiúnta sin gan an gá aon údarú breise a fháil. Féadfaidh an Coimisiún a chinneadh freisin, tar éis dó fógra in leith agus ráiteas iomlán lena leagtar amach na cúiseanna a thabhairt don tríú tír nó don eagraíocht idirnáisiúnta, cinneadh den sórt sin a chúlghairm.
(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
(104) I gcomhréir leis na bunluachanna ar a bhfuil an tAontas fothaithe, go háirithe cosaint chearta an duine, ba cheart don Choimisiún a chur san áireamh, agus measúnú á dhéanamh aige ar thríú tír nó ar chríoch nó ar earnáil shonraithe i dtríú tír, an tslí ina ndéanann tríú tír ar leith an smacht reachta, rochtain ar cheartas mar aon leis na noirm agus na caighdeáin idirnáisiúnta maidir le cearta an duine agus an dlí ginearálta agus an dlí earnála atá aici, lena n-áirítear reachtaíocht a bhaineann leis an tslándáil phoiblí, le cosaint agus leis an tslándáil náisiúnta mar aon leis an ord poiblí agus leis an dlí coiriúil, a urramú. Agus cinneadh leordhóthanachta maidir le críoch nó le hearnáil shonraithe i dtaca le tríú tír á ghlacadh, ba cheart a chur san áireamh critéir shoiléire oibiachtúla, amhail gníomhaíochtaí sonracha próiseála agus raon feidhme na gcaighdeán dlíthiúil is infheidhme agus na reachtaíochta atá i bhfeidhm sa tríú tír. Ba cheart don tríú tír ráthaíochtaí a thabhairt lena n-áiritheofaí leibhéal leordhóthanach cosanta arb ionann é go bunúsach agus an leibhéal a áirithítear laistigh den Aontas, go háirithe i gcás ina bpróiseáiltear sonraí pearsanta in earnáil ar leith nó i roinnt earnálacha ar leith. Go háirithe, ba cheart don tríú tír maoirseacht neamhspleách éifeachtach ar chosaint sonraí a áirithiú agus ba cheart di foráil a dhéanamh maidir le sásraí comhair leis na húdaráis na mBallstát um chosaint sonraí, agus ba cheart cearta éifeachtacha in-fhorfheidhmithe agus sásamh éifeachtach riaracháin agus sásamh éifeachtach breithiúnach a thabhairt do na hábhair sonraí.
(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(105) Seachas na gealltanais idirnáisiúnta a rinne an tríú tír nó an eagraíocht idirnáisiúnta, ba cheart don Choimisiún oibleagáidí a chur san áireamh a eascraíonn as rannpháirtíocht na tríú tíre nó na heagraíochta idirnáisiúnta i gcórais iltaobhacha nó réigiúnacha go háirithe maidir le cosaint sonraí pearsanta, mar aon le cur chun feidhme oibleagáidí den sórt sin. Ba cheart, go háirithe, aontachas na tríú tíre do Choinbhinsiún Chomhairle na hEorpa an 28 Eanáir 1981 maidir le Daoine Aonair a Chosaint i ndáil le Sonraí Pearsanta a Phróiseáil go hUathoibríoch agus don Phrótacal Forlíontach a ghabhann leis a chur san áireamh. Ba cheart don Choimisiún dul i gcomhairle leis an mBord agus a leordhóthanaí atá an leibhéal cosanta i dtríú tíortha nó in eagraíochtaí idirnáisiúnta á mheas aige.
(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.
(106) Ba cheart don Choimisiún faireachán a dhéanamh ar fheidhmiú na gcinntí ar leibhéal na cosanta i dtríú tír,,i gcríoch nó in earnáil shonraithe i dtríú tír, nó in eagraíocht idirnáisiúnta, agus ba cheart dó faireachán a dhéanamh ar fheidhmiú cinntí arna nglacadh ar bhonn Airteagal 25(6) nó Airteagal 26(4) de Rialachán 95/46/CE. Ina chuid cinntí leordhóthanachta, ba cheart don Choimisiún foráil a dhéanamh do shásra maidir le hathbhreithniú tréimhsiúil a dhéanamh ar a bhfeidhmiú. Ba cheart an t-athbhreithniú tréimhsiúil sin a dhéanamh i gcomhairle leis an tríú tír nó leis an eagraíocht idirnáisiúnta i dtrácht agus ba cheart gach forbairt ábhartha sa tríú tír nó san eagraíocht idirnáisiúnta a chur san áireamh. Chun faireachán a dhéanamh agus chun na hathbhreithnithe tréimhsiúla a dhéanamh, ba cheart don Choimisiún machnamh a dhéanamh ar thuairimí agus ar thorthaí Pharlaimint na hEorpa agus ar thuairimí agus ar thorthaí na Comhairle, chomh maith le tuairimí agus torthaí comhlachtaí agus foinsí ábhartha eile. Ba cheart don Choimisiún measúnú a dhéanamh, laistigh de thréimhse réasúnach ama, ar fheidhmiú na gcinntí sin agus aon torthaí ábhartha a thuairisciú don Choiste de réir bhrí Rialachán (AE) Uimh. 182/2011 ó Pharlaimint na hEorpa agus ón gComhairle (12) mar a bhunaítear faoin Rialachán seo, do Pharlaimint na hEorpa agus don Chomhairle.
(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [12] as established under this Regulation, to the European Parliament and to the Council.
(107) Féadfaidh an Coimisiún a aithint nach bhfuil leibhéal leordhóthanach cosanta ar shonraí á áirithiú a thuilleadh i dtríú tír, i gcríoch nó in earnáil shonraithe i dtríú tír, nó in eagraíocht idirnáisiúnta. Mar gheall air sin, ba cheart aistriú sonraí pearsanta chuig an tríú tír sin nó chuig an eagraíocht idirnáisiúnta sin a thoirmeasc, mura gcomhlíontar na ceanglais sa Rialachán seo a bhaineann le haistrithe atá faoi réir coimircí leordhóthanacha, lena n-áirítear rialacha ceangailteacha corparáídeacha, agus maoluithe i gcomhair staideanna áirithe. Sa chás sin, ba cheart foráil a dhéanamh maidir le comhairliúcháin idir an Coimisiún agus tríú tíortha den sórt sin nó eagraíochtaí idirnáisiúnta den sórt sin. Ba cheart don Choimisiún, ar bhealach tráthúil, an tríú tír nó an eagraíocht idirnáisiúnta a chur ar an eolas faoi na fáthanna agus dul i gcomhairle léi chun an cor a leigheas.
(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 45 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
(EN) […]
(EN) Sign in
to read the full text