The Bulgarian And Polish Legal Perspective On The Transfer Of Personal Data Outside The EU/EEA

Author:Ms Mirena Taskova and Adam Nierzwicki
Profession:Schoenherr Attorneys at Law

Increasingly, international business relations involve the transfer of personal data of individuals (name, gender, address, etc.) from EU/EEA to non-EU/EEA countries (Third Countries). The personal data transfer includes sending, transmitting, or making personal data available in another country. The Polish Act of 29 August 1997 on the Protection of Personal Data and the Bulgarian Personal Data Protection Act in force from 1 January 2002 implement the EU Data Protection Directive 95/46/EC1 (Directive), which aims to protect the rights and freedoms of the individuals with respect to the transfer of their personal information by providing guidelines for when a transfer is lawful. Lawful data processing The transfer of personal data from Bulgaria or Poland to a Third Country is legal only if the data is processed in compliance with applicable national privacy laws. Generally, prior to processing personal data, the entity must register with the competent national authority as a "data controller". While processing personal data, the entity must apply certain security measures to protect the data. Further, both Bulgarian and Polish privacy laws impose various requirements on the processing of personal data (eg, to be processed for specific, precisely defined, and legitimate purposes; to be relevant and not excessive to those purposes; etc.) for entities to lawfully transfer personal data of individuals to a Third Country. For instance, if an entity wishes to transfer personal data to a Third Country for purposes that are different from the initial purpose of processing, the transfer will likely be deemed unlawful unless it is required by law. Adequate level of data protection The personal data can be transferred to a Third Country if that country's laws provide for at least the same standards of personal data protection as in Bulgaria or Poland (Adequate Level of Protection). Entities in Bulgaria and Poland often face a question as to which Third Countries provide an Adequate Level of Protection. In Bulgaria the adequacy of the level of protection afforded by a Third Country is usually assessed by the Bulgarian Commission for Personal Data Protection (CPDP), considering the nature of the data, the final destination, etc. The Polish Data Protection Authority, on the other hand, does not provide such an assessment. Instead, it is made by the data controller (who, however, is not left alone on the matter). Decisions of the European Commission The European...

To continue reading