Data Protection Consultation at KINAST
International Data Protection
In a globalized economy, data knows no borders. It flows freely between countries, often without the knowledge or consent of the people it belongs to. This poses unique challenges when it comes to data protection.
What is International Data Protection Law?
With the coming of the digital age, legislators worldwide have faced a new privacy related issues, especially in the form of international data protection. Before the Internet, personal data could be found mainly in phone books and a few other places. Nowadays, many people are rarely aware of how much data they upload daily on the World Wide Web and of how quickly this information can be shared across the continents.
In order to address this issue, new laws have been passed to protect these data, both on a national and an international level. These new regulations aim to protect the gathering and transfer of personal data. ‘Personal Data’ qualifies as information that allows the identification of a specific individual.
Online presence? All the more important!
Although these laws apply to all businesses generally, they are especially important for companies that have an online presence. When it comes to the handling of customer or employee data, a privacy violation could lead to enormous fines by the competent data protection authority. In the context of an increasing globalization, the international aspect of the data protection regulations gains an ever-growing importance.
Do you need an External Data Protection Officer?
Five steps to compliance:
Introduction of your company and KINAST as well as the relevant contact persons. Discussion of the current data protection setup and most important data protection topics.
We conduct data protection audit on-site or based on questionnaires to evaluate the current data protection status of your company.
Document the current data protection status and define further required actions if necessary.
We carry out all necessary measures identified during the data protection audit.
Designation as External data protection officer and on-going consultation starting from day 1.
International Data Protection Law in action
In particular, the EU was the pioneer in creating a legal framework for its member states, which also adresses the transfer of personal data to so-called “third countries”, the GDPR. The GDPR affects above all companies and individuals on the EU’s territory, but it has worldwide coverage due to its applicability to the processing of personal data of EU citizens.
A typical case of interest would be a company located in the EU transferring personal data to a country outside the EU: In this instance the GDPR clearly states the need to implement further security measures in order to guarantee the safety of the personal data.
Other areas to consider:
How do we guarantee your data protection compliance in your international company or corporation?
If required, we can act as your External Data Protection Officer. To guarantee a timely and cost effective execution of necessary data protection measurements, we’ve developed our own concept based on a three-point plan:
As a first step, we carry out a risk assessment in your company. We carry out the risk assessment either on-site or remotely. Based on the findings, we prepare a report that documents the degree of compliance with data protection standards. Furthermore, the report identifies any vulnerabilities, proposes suitable measures to remedy those vulnerabilities, defines responsibilities and sets a timetable for the implementation of these measures.
In a next step, we implement any measures which we identified within the framework of the risk assessment. Whereby great importance is attached to binding your internal resources as little as possible.
Finally, as an External DPO, we permanently support your company regarding all aspects of data protection. Therefore, we ensure an ongoing compliance with legal standards, the adaptation of procedures to the requirements of new laws and the consideration of current changes in internal processes.
Which qualifications should Lawyers and DPOs have when it comes to international data protection law?
The requirements, for example, for an External DPO cover a wide range of legal knowledge, from specially acquired professional qualifications to comprehensive knowledge of the tasks at hand. This includes posessing proficiency of specific services performed by a company or industry. Legal advisors must not only have the necessary qualifications in international data protection law, but must also be able to use these skills appropriately and identify where solutions need to be implemented.
Just a few of the reasons to choose the KINAST legal team for international data protection consultation
Do you need guidance with international data protection law?
Data protection law, especially on the international stage, can be a legal minefield. Our experienced lawyers and data protection officers are here to help. KINAST Attorneys at Law are specialised soley in data protection and we’ve been advising international groups and corporations since before GDPR laws came into effect. We guarantee that your company is in the safest hands.
So why not contact us today for a free, no obligation consultation?
Send this page to a colleague?
Frequently asked questions
We understand that many clients still have questions about international data protection law. We’ve answered some of the most frequently asked questions here. If you have more specific or specialist questions, feel free to contact us, and one of our Lawyers or Data Protection Officers will get back to you as soon as possible.
Furthermore, centralized company functions, for example “group IT” based in the USA, lead to international data transfers.
It is mandatory to appoint a DPO:
- where the processing is carried out by a public authority or body,
- where the core activity of the controller or processor is to carry out processing operations which, by their nature, scale and/or purposes, require extensive, regular and systematic supervision of data subjects, or
- where the core activity of the controller or processor is the processing on a large scale of special categories of data as referred to in Art. 9 GDPR or of personal data relating to criminal convictions and offences as referred to in Art. 10 GDPR.
For example in Germany, according to § 38 Federal Data Protection Act (BDSG), a DPO must be appointed if:
- as a general rule, at least 20 persons are permanently involved in the automated processing of personal data,
- the controller or the processor is subject to a DPIA pursuant to Art. 35 GDPR, or
- personal data are processed for the purpose of transmission, anonymous transmission or for purposes of market and opinion research.
Typically, the laws that apply are those of the country where your company is located. The GDPR applies to all companies located inside the EEA. If your company is located outside the EEA, the GDPR still applies if your company offers goods or services to European territories. However, in this case the GDPR only applies to the personal data of EEA residents.
It is the data controller’s responsibility to ensure their company is compliant with applicable data protection law. So in general, the company itself is responsible to ensure compliance.
However, every country has specific supervisory authorities which may conduct periodic checks and investigations in cases of suspected violation of privacy laws.
Personal data can be very valuable for personal or economic reasons. Privacy and data protection laws have been adopted to protect consumers from unauthorized persons gaining access to these data and using them for purposes unknown to and uncontrolled by the individuals they belong to.