INTERNATIONAL DATA MOBILITY

International data transfers involve a flow of personal data from Spanish territory to recipients established in countries outside the European Economic Area (the countries of the European Union plus Liechtenstein, Iceland and Norway make up the countries of the European Economic Area).

WARRANTIES for transfers of personal data to third countries or international organisations.

International data transfers may be carried out WITHOUT THE REQUIREMENT OF AUTHORISATION FROM THE SPANISH DATA PROTECTION AGENCY provided that the data processing complies with the provisions of the GDPR and in the following cases:

1. Adequacy decision: countries that have been declared by the European Commission to have an adequate level of protection. To date the countries are Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Andorra, Faroe Islands, Israel, Uruguay, New Zealand, Japan, United Kingdom, Republic of Korea and USA.
2. Provision of adequate safeguards through: A legal instrument, corporate rules and binding data protection clauses. However, it remains necessary for the data exporter, where appropriate assisted by the importer, to analyse the impact that the legislation and/or practice in force in the importer's country may have on the level of protection provided, so that it is essentially equivalent to that provided by the European framework.
3. Exceptions for specific situations: if there are no adequate decisions and safeguards, the European Data Protection Committee has developed Guidelines on the application of exceptions.

CONDUCT CODES concerning MOBILITY

Essential to ensure that data mobility has adequate safeguards under European law.

In its preparation, it must be accompanied by an explanatory report indicating the specific characteristics of the sector in terms of data protection and identifying and addressing the needs it presents in terms of its processing and providing the solutions for these needs and adequate guarantees in relation to the aspects it regulates for its approval, as well as including the mechanisms that allow for the mandatory control of its provisions, as established in Article 40.4 of the GDPR.

Conduct codes may include:

1. the legitimate interests pursued by controllers in specific contexts;
2. the collection of personal data;
3. pseudo-anonymisation of personal data;
4. the information provided to the public and stakeholders;
5. the exercise of the rights of data subjects;
6. measures and procedures to ensure the security of the processing, as well as data protection by design and by default;
7. the notification of personal data security breaches to local supervisory authorities and the communication of such breaches to data subjects;
8. the transfer of personal data to third countries and international organisations, or
9. out-of-court and other dispute resolution procedures to resolve disputes between controllers and data subjects relating to processing, without prejudice to the rights of data subjects. This last aspect is of particular importance, as it will make it possible to resolve any disputes that may arise and obtain satisfaction in an expeditious manner.

In addition, they must identify, in those draft codes that involve activities of private or non-public authorities or bodies, the supervisory body that must be, or be accredited by the Spanish Data Protection Agency.