(101) Потоки персональных данных, направляющиеся как в страны вне Союза или международные организации, так и поступающие из них, необходимы для расширения международной торговли и международного сотрудничества. Рост таких потоков привел к новым вызовам и проблемам в области защиты персональных данных. Однако, когда персональные данные передаются из Союза контролёрам, процессорам или иным получателям в третьих странах или международным организациям, уровень защиты физических лиц, гарантированный в Союзе настоящим Регламентом, не должен ослабляться, в том числе в случаях последующей передачи персональных данных из данной третьей страны или международной организации контролёрам, процессорам в той же или другой третьей стране или международной организации. В любом случае, передача данных в третьи страны и международные организации может осуществляться только при полном соблюдении положений настоящего Регламента. Передача может иметь место только, если в соответствии с другими положениями настоящего Регламента, контролёр или процессор соблюдают условия, предусмотренные настоящим Регламентом, относительно передачи персональных данных в третьи страны или международные организации.
(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
(102) Настоящий Регламент действует без ущерба международным соглашениям между Союзом и третьими странами в отношении передачи персональных данных, в том числе в отношении соответствующих гарантий для субъектов данных. Государства-члены могут заключать международные соглашения, касающиеся передачи персональных данных в третьи страны и международные организации, в той мере, в которой такие соглашения не влияют на настоящий Регламент либо на иные положения права Союза и предусматривают соответствующий уровень защиты фундаментальных прав субъектов данных.
(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 44 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates). The organization should document compliance to such requirements as the basis for transfer.
Some jurisdictions can require that information transfer agreements be reviewed by a designated supervisory authority. Organizations operating in such jurisdictions should be aware of any such requirements.
NOTE Where transfers take place within a specific jurisdiction, the applicable legislation and/or regulation are the same for the sender and recipient.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 44 GDPR:
8.5.1 Basis for PII transfer between jurisdictions
Control
The organization should inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer has the ability to object to such changes or to terminate the contract.
Implementation guidance
PII transfer between jurisdictions can be subject to legislation and/or regulation depending on the jurisdiction or organization to which PII is to be transferred (and from where it originates). The organization should document compliance with such requirements as the basis for transfer.
The organization should inform the customer of any transfer of PII, including transfers to:
— suppliers;
— other parties;
— other countries or international organizations.
In case of changes, the organization should inform the customer in advance, according to an agreed timeframe, so that the customer has the ability to object to such changes or to terminate the contract.
The agreement between the organization and the customer can have clauses where the organization can implement changes without informing the customer. In these cases, the limits of this allowance should be set (e.g. the organization can change suppliers without informing the customer, but cannot transfer PII to other countries).
In case of international transfer of PII, agreements such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the countries involved and the circumstances in which such agreements apply, should be identified.