(103) Il-Kummissjoni tista' tiddeċiedi b'effett għall-Unjoni kollha li pajjiż terz, territorju jew settur speċifikat f'pajjiż terz, jew organizzazzjoni internazzjonali, joffru livell adegwat ta' protezzjoni tad-data, u b'hekk jipprovdu ċertezza legali u uniformità madwar l-Unjoni fir-rigward tal-pajjiż terz jew l-organizzazzjoni internazzjonali li huma kkunsidrati li jipprovdu dan il-livell ta' protezzjoni. F'tali każijiet, it-trasferimenti ta' data personali lejn dak il-pajjiż terz jew organizzazzjoni internazzjonali jistgħu jsiru mingħajr il-ħtieġa li tinkiseb kwalunkwe awtorizzazzjoni oħra. Il-Kummissjoni tista' tiddeċiedi wkoll, meta tkun tat notifika u ġustifikazzjoni sħiħa li tagħti r-raġunijiet lill-pajjiż terz jew organizzazzjoni internazzjonali, li tirrevoka tali deċiżjoni.
(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.
(104) F'konformità mal-valuri fundamentali li fuqhom hija bbażata l-Unjoni, b'mod partikolari l-protezzjoni tad-drittijiet tal-bniedem, il-Kummissjoni, fil-valutazzjoni tagħha tal-pajjiż terz jew ta' territorju jew settur speċifikat f'pajjiż terz, għandha tikkunsidra kif pajjiż terz partikolari jirrispetta l-istat tad-dritt, l-aċċess għall-ġustizzja kif ukoll ir-regoli u l-istandards internazzjonali tad-drittijiet tal-bniedem u l-liġi ġenerali u settorjali tagħha, inkluż leġiżlazzjoni dwar is-sigurtà pubblika, id-difiża u s-sigurtà nazzjonali kif ukoll l-ordni pubbliku u l-liġi kriminali. L-adozzjoni ta' deċiżjoni ta' adegwatezza fir-rigward ta' territorju jew settur speċifikat f'pajjiż terz għandha tieħu kont ta' kriterji ċari u oġġettivi, bħall-attivitajiet ta' pproċessar speċifiċi u l-kamp ta' applikazzjoni tal-istandards legali applikabbli u l-leġiżlazzjoni fis-seħħ fil-pajjiż terz. Il-pajjiż terz għandu joffri garanziji li jiżguraw livell adegwat ta' protezzjoni essenzjalment ekwivalenti għal dak żgurat fl-Unjoni, b'mod partikolari fejn id-data personali tkun ipproċessata f'settur speċifiku wieħed jew aktar. B'mod partikolari, il-pajjiż terz għandu jiżgura superviżjoni effettiva u indipendenti tal-protezzjoni tad-data u għandu jipprevedi mekkaniżmi ta' kooperazzjoni mal-awtoritajiet tal-Istati Membri għall-protezzjoni tad-data, u s-suġġetti tad-data għandhom jingħataw drittijiet effettivi u infurzabbli u rimedju amministrattiv u ġudizzjarju effettiv.
(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.
(105) Minbarra l-impenji internazzjonali li jkun daħal għalihom il-pajjiż terz jew l-organizzazzjoni internazzjonali, il-Kummissjoni għandha tieħu kont tal-obbligi li jirriżultaw mill-parteċipazzjoni tal-pajjiż terz jew tal-organizzazzjoni internazzjonali f'sistemi multilaterali jew reġjonali b'mod partikolari fir-rigward tal-protezzjoni tad-data personali, kif ukoll l-implimentazzjoni ta' dawn l-obbligi. B'mod partikolari, għandu jittieħed kont tal-adeżjoni ta' pajjiż terz għall-Konvenzjoni tal-Kunsill tal-Ewropa tat-28 ta' Jannar 1981 dwar il-Protezzjoni tal-Individwi fir-rigward tal-Ipproċessar Awtomatiku tad-Data Personali u l-Protokoll Addizzjonali tagħha. Il-Kummissjoni għandha tikkonsulta mal-Bord meta tivvaluta l-livell ta' protezzjoni f'pajjiżi terzi jew organizzazzjonijiet internazzjonali.
(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.
(106) Il-Kummissjoni għandha tissorvelja l-funzjonament ta' deċiżjonijiet fil-livell tal-protezzjoni f'pajjiż terz, territorju jew settur speċifikat f'pajjiż terz, jew organizzazzjoni internazzjonali, u tissorvelja l-funzjonament ta' deċiżjonijiet adottati abbażi tal-Artikolu 25(6) jew l-Artikolu 26 (4) tad-Direttiva 95/46/KE. Fid-deċiżjonijiet ta' adegwatezza tagħha, il-Kummissjoni għandha tipprovdi mekkaniżmu ta' rieżami perjodiku tal-funzjonament tagħhom. Dak ir-rieżami perjodiku għandu jitwettaq b'konsultazzjoni mal-pajjiż terz jew organizzazzjoni internazzjonali inkwistjoni u jieħu kont tal-iżviluppi rilevanti kollha fil-pajjiż terz jew l-organizzazzjoni internazzjonali. Għall-iskopijiet ta' monitoraġġ u twettiq tar-rieżamijiet perjodiċi, il-Kummissjoni għandha tqis il-fehmiet u l-konklużjonijiet tal-Parlament Ewropew u tal-Kunsill kif ukoll ta' korpi rilevanti u sorsi oħra. Il-Kummissjoni għandha tevalwa, fi żmien raġonevoli, il-funzjonament ta' dawn id-deċiżjonijiet tal-aħħar u tirrapporta kwalunkwe konklużjoni rilevanti lill-Kumitat fis-sens tar-Regolament (UE) Nru 182/2011 tal-Parlament Ewropew u tal-Kunsill (12) kif stabbilit taħt dan ir-Regolament, lill-Parlament Ewropew u lill-Kunsill.
(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council [12] as established under this Regulation, to the European Parliament and to the Council.
(12) Regolament (UE) Nru 182/2011 tal-Parlament Ewropew u tal-Kunsill tas-16 ta' Frar 2011 li jistabbilixxi r-regoli u l-prinċipji ġenerali dwar il-modalitajiet ta' kontroll mill-Istati Membri tal-eżerċizzju mill-Kummissjoni tas-setgħat ta' implimentazzjoni (ĠU L 55, 28.2.2011, p. 13). https://eur-lex.europa.eu/legal-content/EN/AUTO/?uri=OJ:L:2011:055:TOC
(107) Il-Kummissjoni tista' tirrikonoxxi li pajjiż terz, territorju jew settur speċifikat f'pajjiż terz, jew organizzazzjoni internazzjonali ma jibqgħux jiżguraw livell adegwat ta' protezzjoni tad-data. Konsegwentement, it-trasferiment ta' data personali lejn pajjiż terz jew organizzazzjoni internazzjonali għandu jkun ipprojbit, dment li r-rekwiżiti f'dan ir-Regolament relatati ma' trasferimenti suġġetti għal garanziji adegwati, inklużi regoli korporattivi vinkolanti, u derogi għal sitwazzjonijiet speċifiċi ma jiġux sodisfatti. F'dak il-każ, għandhom ikunu previsti konsultazzjonijiet bejn il-Kummissjoni u tali pajjiżi terzi jew tali organizzazzjonijiet internazzjonali. Il-Kummissjoni għandha tinforma fil-ħin lill-pajjiż terz jew l-organizzazzjoni internazzjonali bir-raġunijiet u tidħol f'konsultazzjonijiet miegħu/magħha sabiex tirrimedja għas-sitwazzjoni.
(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 45 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).
(EN) […]
(EN) Sign in
to read the full text