Skip to main content
News

EU-US Privacy Shield: Slovenian Information Commissioner authorisation no longer required for transfer of personal data to the US

14. June, 2017No Comments

EU-US Privacy Shield: Slovenian Information Commissioner authorisation no longer required for transfer of personal data to the US

As we already reported in March 2016, the EU and the US reached political agreement regarding the protection of personal data – »Privacy Shield«. However, the adoption of the agreement itself failed to facilitate the simple transfer of personal data to the US as to do so required authorisation from the Slovenian Information Commissioner (IP). 

At the end of March 2016, IP, acting on a filed motion and in accordance with Commission Implementing Decision (EU) 2016/1250, issued a decision by way of which it confirmed that the US provides an adequate level of protection to personal data being transferred to self-certified organisations in the US within the framework of the Privacy Shield.

Despite the fact that the IP has confirmed the adequate level of protection of personal data within the framework of the Privacy Shield, personal data may only be transferred to organisations that signed up to this framework. This means that prior to the transfer of personal data, data controllers must verify whether the contracting partner in the US has undertaken to adhere to the principles of the Privacy Shield with the US Department of Commerce. To date more than 2,000 US companies have self-certified under the Privacy Shield.

If a contracting partner is not self-certified under the Privacy Shield, an adequate level of protection of personal data can be ensured by using so-called standard contractual clauses (and for groups of companies, binding corporate rules – BCRs), which must nevertheless be approved by the IP.