On 23rd January 2019 the European Commission adopted the adequacy decision with regards to Japan, which entered into force on the same date; the agreement was based upon a free-trade deal reached between the European Union and Japan in July of last year. Consequently, the world’s largest area for the flow of secure data was created.

The GDPR[1] applies to the processing of personal data of the activities of an establishment of parties to a contract in the EU, regardless of whether or not the data processing takes place in the EU.

In accordance with the foregoing, this decision has repercussions in the preparation and draft of all contracts in which companies located in Japan are involved, whether directly or indirectly, for the purposes of correctly regulating data protection matters.

The legal basis which we encounter is the following:

  1. The GDPR expressly regulates that transfers of personal data which are undergoing processing, or data which are intended for processing after transfer to a third country or to an international organisation outside the European Economic Area (the countries of the European Union, plus Liechtenstein, Iceland and Norway) shall only take place if the parties involved in said processing ensure that the level of protection guaranteed by the GDPR is not undermined.
  2. Articles 13 and 14 of the Regulation establish the obligation of the data controller to proceed in accordance with the right to information which the regulation grants to the data subject, provided that personal data were obtained for the first time.
  3. This information must include, where appropriate, the intention of the data controller of transferring personal data to a third party or international organisation and the existence or absence of an adequacy decision from the Commission. If an adequacy decision is given, no further specific authorisation to this effect is required.
  4. Alternatively, for transfers not protected by an adequacy decision, articles 46, 47 and article 49, section 1, paragraph 3 establish the adequate or appropriate guarantees and the means for obtaining a copy thereof or of the facts that they have been provided (standard clauses adopted by the supervisory authorities and/or the Commission, binding corporate rules, codes of conduct approved in accordance with the GDPR together with binding commitments to apply appropriate safeguards, certification mechanisms approved in accordance with the GDPR, contractual clauses, explicit consent of the data subject after having been informed of the risks, etc.). Likewise, said article 49 also establishes exceptions such as contractual necessity and legitimate interest, which are subject to determined requirements.

The data protection legislation also offers protection to personal data associated with professional positions, i.e. the personal data, among others, of natural persons who are representatives of legal persons, who intervene in the signing or execution of a contract, specifying, however, in the new Organic Law on Data Protection and Guarantees of Digital Rights that such communication shall be protected by legitimate interest (art. 6.1.f) GDPR).

Accordingly, if one of the signatories or involved parties to a contract is a Japanese company, the latter will in any case obtain the personal data of the signatory of the other party, together with the data of third parties, if included in the contract.

Consequently, an international transfer of data outside of the EEA shall occur.

In this way, faced with the need to always provide the necessary data to guarantee the right to information in the contract, in accordance with what is set forth in article 13 of the GDPR, the signatory shall be informed of the following:

a) the information set forth in article 13 of the GDPR for all cases, whether or not an international data transfer exists.

b) the intention of the data controller of transferring the data to a third party outside the EEA.

c) and, as from 23rd January 2019, all affected contracts -in the cases foreseen in this article- may greatly simplify their data protection provisions by simply indicating the existence of the adequacy decision of Commission of the 23rd January 2019, in order to comply with the requirements of the regulations regarding the international transfer of personal data.

As indicated in article 45.1 of the GDPR, from now onwards, no further specific additional authorisation shall be required.

 

 

Andreas Terán

Vilá Abogados

 

For further information, please contact:

va@vila.es

 

8th February 2019

 

 

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Source of interest