Статья 48 GDPR. Передача или раскрытие данных, не разрешенное законодательством Союза
Article 48 GDPR. Transfers or disclosures not authorised by Union law
Любое решение суда или трибунала и любое определение /приказ административного (государственного) органа третьей страны, требующее от контролёра или процессора передать или раскрыть персональные данные, может быть признано или может подлежать исполнению, только если оно основано на вступившем в силу международном соглашении, таком как договор о взаимной юридической помощи, между запрашивающей третьей страной и Союзом или государством-членом, не исключая иные основания для передачи согласно настоящей Главе.
Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer pursuant to this Chapter.
Общий регламент защиты персональных данных (GDPR) Европейского союза
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 48 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates). The organization should document compliance to such requirements as the basis for transfer.
Some jurisdictions can require that information transfer agreements be reviewed by a designated supervisory authority. Organizations operating in such jurisdictions should be aware of any such requirements.
NOTE Where transfers take place within a specific jurisdiction, the applicable legislation and/or regulation are the same for the sender and recipient.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 48 GDPR:
8.5.1 Basis for PII transfer between jurisdictions
Control
The organization should inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer has the ability to object to such changes or to terminate the contract.
Implementation guidance
PII transfer between jurisdictions can be subject to legislation and/or regulation depending on the jurisdiction or organization to which PII is to be transferred (and from where it originates). The organization should document compliance with such requirements as the basis for transfer.
The organization should inform the customer of any transfer of PII, including transfers to:
— suppliers;
— other parties;
— other countries or international organizations.
In case of changes, the organization should inform the customer in advance, according to an agreed timeframe, so that the customer has the ability to object to such changes or to terminate the contract.
The agreement between the organization and the customer can have clauses where the organization can implement changes without informing the customer. In these cases, the limits of this allowance should be set (e.g. the organization can change suppliers without informing the customer, but cannot transfer PII to other countries).
In case of international transfer of PII, agreements such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the countries involved and the circumstances in which such agreements apply, should be identified.
8.5.5 Legally binding PII disclosures
Control
The organization should reject any requests for PII disclosures that are not legally binding, consult the corresponding customer before making any PII disclosures and accepting any contractually agreed requests for PII disclosures that are authorized by the corresponding customer.
Implementation guidance
Details relevant to the implementation of the control can be included in the customer contract.
Such requests can originate from several sources, including courts, tribunals and administrative authorities. They can arise from any jurisdiction.
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 48 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
Control
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
Implementation guidance
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates). The organization should document compliance to such requirements as the basis for transfer.
Some jurisdictions can require that information transfer agreements be reviewed by a designated supervisory authority. Organizations operating in such jurisdictions should be aware of any such requirements.
NOTE Where transfers take place within a specific jurisdiction, the applicable legislation and/or regulation are the same for the sender and recipient.
ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII processors.
Here is the relevant paragraph to article 48 GDPR:
8.5.1 Basis for PII transfer between jurisdictions
Control
The organization should inform the customer in a timely manner of the basis for PII transfers between jurisdictions and of any intended changes in this regard, so that the customer has the ability to object to such changes or to terminate the contract.
Implementation guidance
PII transfer between jurisdictions can be subject to legislation and/or regulation depending on the jurisdiction or organization to which PII is to be transferred (and from where it originates). The organization should document compliance with such requirements as the basis for transfer.
The organization should inform the customer of any transfer of PII, including transfers to:
— suppliers;
— other parties;
— other countries or international organizations.
In case of changes, the organization should inform the customer in advance, according to an agreed timeframe, so that the customer has the ability to object to such changes or to terminate the contract.
The agreement between the organization and the customer can have clauses where the organization can implement changes without informing the customer. In these cases, the limits of this allowance should be set (e.g. the organization can change suppliers without informing the customer, but cannot transfer PII to other countries).
In case of international transfer of PII, agreements such as Model Contract Clauses, Binding Corporate Rules or Cross Border Privacy Rules, the countries involved and the circumstances in which such agreements apply, should be identified.
8.5.5 Legally binding PII disclosures
Control
The organization should reject any requests for PII disclosures that are not legally binding, consult the corresponding customer before making any PII disclosures and accepting any contractually agreed requests for PII disclosures that are authorized by the corresponding customer.
Implementation guidance
Details relevant to the implementation of the control can be included in the customer contract.
Such requests can originate from several sources, including courts, tribunals and administrative authorities. They can arise from any jurisdiction.