Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulat... (32023D1795)
INHALT
Commission Implementing Decision EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (notified under document C(2023)4745) (Text with EEA relevance)
- COMMISSION IMPLEMENTING DECISION EU 2023/1795
- of 10 July 2023
- pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework
- (notified under document C(2023)4745)
- (Text with EEA relevance)
- 1.
- INTRODUCTION
- 2.
- THE EU-U.S. DATA PRIVACY FRAMEWORK
- 2.1.
- Personal and material scope
- 2.1.1.
- Certified organisations
- 2.1.2.
- Definition of personal data and concepts of controller and ‘agent’
- 2.2.
- EU-U.S. Data Privacy Framework Principles
- 2.2.1.
- Purpose limitation and choice
- 2.2.2.
- Processing of special categories of personal data
- 2.2.3.
- Data accuracy, minimisation and security
- 2.2.4.
- Transparency
- 2.2.5.
- Individual rights
- 2.2.6.
- Restrictions on onward transfers
- 2.2.7.
- Accountability
- 2.3.
- Administration, oversight and enforcement
- 2.3.1.
- (Re-)certification
- 2.3.2.
- Compliance monitoring
- 2.3.3.
- Identifying and addressing false claims of participation
- 2.3.4.
- Enforcement
- 2.4.
- Redress
- 3.
- ACCESS AND USE OF PERSONAL DATA TRANSFERRED FROM THE EUROPEAN UNION BY PUBLIC AUTHORITIES IN THE UNITED STATES
- 3.1.
- Access and use by U.S. public authorities for criminal law enforcement purposes
- 3.1.1.
- Legal bases, limitations and safeguards
- 3.1.1.1.
- Limitations and safeguards as regards the collection of personal data for criminal law enforcement purposes
- 3.1.1.2.
- Further use of the information collected
- 3.1.2.
- Oversight
- 3.1.3.
- Redress
- 3.2.
- Access and use by U.S. public authorities for national security purposes
- 3.2.1.
- Legal bases, limitations and safeguards
- 3.2.1.1.
- Applicable legal framework
- 3.2.1.2.
- Limitations and safeguards as regards the collection of personal data for national security purposes
- 3.2.1.3.
- Further use of the information collected
- 3.2.2.
- Oversight
- 3.2.3.
- Redress
- 4.
- CONCLUSION
- 5.
- EFFECTS OF THIS DECISION AND ACTION OF DATA PROTECTION AUTHORITIES
- 6.
- MONITORING AND REVIEW OF THIS DECISION
- 7.
- SUSPENSION, REPEAL OR AMENDMENT OF THIS DECISION
- 8.
- FINAL CONSIDERATIONS
- Article 1
- Article 2
- Article 3
- Article 4
- ANNEX I
- EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES ISSUED BY THE U.S. DEPARTMENT OF COMMERCE
- I.
- OVERVIEW
- II.
- PRINCIPLES
- 1.
- NOTICE
- 2.
- CHOICE
- 3.
- ACCOUNTABILITY FOR ONWARD TRANSFER
- 4.
- SECURITY
- 5.
- DATA INTEGRITY AND PURPOSE LIMITATION
- 6.
- ACCESS
- 7.
- RECOURSE, ENFORCEMENT AND LIABILITY
- III.
- SUPPLEMENTAL PRINCIPLES
- 1.
- Sensitive Data
- 2.
- Journalistic Exceptions
- 3.
- Secondary Liability
- 4.
- Performing Due Diligence and Conducting Audits
- 5.
- The Role of the Data Protection Authorities
- 6.
- Self-Certification
- 7.
- Verification
- 8.
- Access
- a.
- The Access Principle in Practice
- b.
- Burden or Expense of Providing Access
- c.
- Confidential Commercial Information
- d.
- Organization of Data Bases
- e.
- When Access May be Restricted
- f.
- Right to Obtain Confirmation and Charging a Fee to Cover the Costs for Providing Access
- g.
- Repetitious or Vexatious Requests for Access
- h.
- Fraudulent Requests for Access
- i.
- Timeframe for Responses
- 9.
- Human Resources Data
- a.
- Coverage by the EU-U.S. DPF
- b.
- Application of the Notice and Choice Principles
- c.
- Application of the Access Principle
- d.
- Enforcement
- e.
- Application of the Accountability for Onward Transfer Principle
- 10.
- Obligatory Contracts for Onward Transfers
- a.
- Data Processing Contracts
- b.
- Transfers within a Controlled Group of Corporations or Entities
- c.
- Transfers between Controllers
- 11.
- Dispute Resolution and Enforcement
- 12.
- Choice – Timing of Opt Out
- 13.
- Travel Information
- 14.
- Pharmaceutical and Medical Products
- a.
- Application of EU/Member State Laws or the Principles
- b.
- Future Scientific Research
- c.
- Withdrawal from a Clinical Trial
- d.
- Transfers for Regulatory and Supervision Purposes
- e.
- “Blinded” Studies
- f.
- Product Safety and Efficacy Monitoring
- g.
- Key-coded Data
- 15.
- Public Record and Publicly Available Information
- 16.
- Access Requests by Public Authorities
- ANNEX I: ARBITRAL MODEL
- A.
- Scope
- B.
- Available Remedies
- C.
- Pre-Arbitration Requirements
- D.
- Binding Nature of Decisions
- E.
- Review and Enforcement
- F.
- The Arbitration Panel
- G.
- Arbitration Procedures
- H.
- Costs
- ANNEX II
- ANNEX III
- Administration and Supervision of the Data Privacy Framework Program by the Department of Commerce
- ANNEX IV
- I.
- Introduction
- a.
- FTC Privacy Enforcement and Policy Work
- b.
- U.S. Legal Protections Benefitting EU Consumers
- c.
- FTC Enforcement Activity
- II.
- Referral Prioritization and Investigations
- III.
- Seeking and Monitoring Orders
- IV.
- Enforcement Cooperation with EU DPAs
- Appendix A
- Privacy Shield and Safe Harbor Enforcement
- ANNEX V
- 1.
- Background
- A.
- DOT’s Privacy Authority
- B.
- Enforcement Practices
- C.
- DOT Legal Protections Benefiting EU Consumers
- II.
- EU-U.S. DPF Principles Enforcement
- A.
- Prioritizing Investigation of Alleged Violations
- B.
- Addressing False or Deceptive Participation Claims
- C.
- Monitoring and Making Public Enforcement Orders Concerning EU-U.S. DPF Violations
- ANNEX VI
- ANNEX VII
- OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE OFFICE OF GENERAL COUNSEL
- WASHINGTON, DC 20511
- ANNEX VIII
- List of abbreviations
Feedback