Professional Documents
Culture Documents
The following icons are used in the table, to clarify the impact of each change:
Cross-Border Data Transfers are Cross-Border Data Transfers were, Cross-Border Data Transfers may
prohibited, unless certain without prejudice to compliance only take place if the transfer is
conditions are met. with national law, prohibited, made to an Adequate Jurisdiction
unless the transfer was made to an (see below) or the data exporter
Adequate Jurisdiction (see below) has implemented a lawful data
or the data exporter had transfer mechanism (or an
implemented a lawful data transfer exemption or derogation applies).
mechanism (or an exemption or
derogation applied).
explain complaint
procedures; and
A Cross-Border Data Transfer may The Directive encouraged the A Cross-Border Data Transfer may
take place on the basis of approved drawing up of Codes of Conduct. take place on the basis of an
Codes of Conduct. However, it did not specifically approved Code of Conduct,
permit Cross- Border Data together with binding and
Transfers to be made on the basis enforceable commitments to
of a Code of Conduct. provide appropriate safeguards.
Transfers made on this basis do
not require DPA approval
Certification N/A Rec.108; Art.42, 43, 46(2)(f)
A Cross-Border Data Transfer may The Directive did not provide for A Cross-Border Data Transfer may
take place on the basis of certifications as a mechanism for take place on the basis of
certifications.. Cross-Border Data Transfers. certifications together with binding
and enforceable commitments of
the data importer to apply the
certification to the transferred data.
Transfers made on this basis do
not require DPA approval
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
take place on the basis of contracts could take place on the basis of ad take place on the basis of ad hoc
negotiated between the data hoc clauses between the data clauses. These clauses must
exporter and the data importer ("ad exporter and data importer. These conform to the requirements of the
hoc clauses"), subject to approval clauses had to conform to the GDPR, and must be approved by
from the competent DPA. requirements of the national laws the relevant DPA subject to the
of the relevant Member State, and Consistency Mechanism, before
required approval from the transfers can begin.
relevant DPA, before transfers
could begin.
A Cross-Border Data Transfer may The Directive did not provide for Cross-Border Data Transfers may
take place on the basis of administrative arrangements as a take place on the basis of
administrative arrangements made legal basis for Cross-Border Data administrative arrangements
by the data exporter, subject to the Transfers. between public authorities (e.g., a
authorisation from the competent Memorandum of
DPA. Understanding), which include
adequate protection for the rights
of data subjects. Transfers made
on this basis require DPA
approval.
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
be made on the basis of the could be made on the basis of the be made on the basis that the data
consent of the data subject. Further data subject's unambiguous subject, having been informed of
commentary on consent is consent. Any such transfers could the possible risks of such transfer,
provided on Chapter 8. only be carried out in full explicitly consents.
compliance with the applicable
national laws that implemented the
Directive.
Contracts that are in the data Rec.58; Art.26(1)(c) Rec.111; Art.49(1)(c), (3)
subject's interest
A Cross-Border Data Transfer A Cross-Border Data Transfer may
A Cross-Border Data Transfer may could take place if the transfer was take place if the transfer is
be made on the basis that it is necessary for the conclusion or necessary for the conclusion or
necessary for the purposes of performance of a contract between performance of a contract between
performing or concluding a the controller and a third party, the controller and a third party,
contract in the interests of the data which was in the interests of the where it is in the interests of the
subject (e.g., a parent making a data subject. data subject.
purchase on behalf of a child).
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
be made on the basis that the could take place if the transfer was take place if the transfer is
transfer is necessary for important necessary, or legally required, on necessary for important reasons of
reasons of public interest. important public interest grounds. public interest. Such interests must
be recognised in EU law or in the
law of the Member State to which
the controller is subject.
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
be made on the basis that it is could take place if the transfer was take place if the transfer is
necessary for the purposes of legal necessary, or legally required, on necessary for the establishment,
proceedings, or obtaining legal important public interest grounds exercise or defence of legal claims.
advice. for the establishment, exercise or
defence of legal claims.
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
be made on the basis that the could take place if the transfer was take place if the transfer is
transfer is necessary to protect the necessary in order to protect the necessary in order to protect the
vital interests of the data subject. vital interests of the data subject. vital interests of the data subject or
of other persons, where the data
subject is physically or legally
incapable of giving consent.
A Cross-Border Data Transfer may A Cross-Border Data Transfer A Cross-Border Data Transfer may
be made on the basis that the data could take place if the transferred take place if the transferred data
to be transferred are taken from a data were taken from a register are taken from a register which is
public register. which was open to the public, or to open to the public or, upon
any person who could demonstrate request, to any person who can
a legitimate interest in inspecting demonstrate a legitimate interest in
it. inspecting it. This does not permit
a transfer of the entire register.
the transfer is necessary
for the purposes of
compelling legitimate
interests pursued by the
controller which are not
overridden by those of
the data subject; and
the controller
has adduced suitable
safeguards for the
transferred data.
Commentary: GDPR Transfer Mechanisms
The GDPR maintains the pre- existing data transfer mechanisms created under the Directive
(with some minor amendments). It also creates a number of new transfer mechanisms, of which
organisations should be aware. Key changes from the Directive include the following:
Under the GDPR, several transfer mechanisms no longer require notification to, and/
or authorisation from, DPAs. This significantly reduces the administrative burden on
organisations.
The GDPR introduces several new transfer mechanisms, including DPA Clauses,
certifications and a derogation for the purposes of legitimate interests.
Transfer mechanisms such as BCRs and Codes of Conduct may become more
important as a result of the increased harmonisation introduced by the GDPR.
However, there remains a significant amount of uncertainty in this area, in light of Schrems
II and the EU-US Privacy Shield is no longer deemed adequate.
The following are some key points that compliance teams should evaluate when integrating
LGPD requirements into their larger privacy compliance infrastructure.
What is the LGPD's effective date?
The law took immediate effect on September 18, 2020. Brazil's data protection authority,
Autoridade Nacional de Proteção de Dados (ANPD), will oversee enforcement of the law.
1. Notice. Like the CCPA and GDPR, the consumer has been given a right under Article
9 of the LGPD to meaningful notice, which includes notification on matters such as the
specific purposes of the processing, the type and time period of processing, the identity
of the processing entity and contact information, the nature and purpose of any data
shared with third parties, the responsibilities of the entity processing the data, and
information regarding the consumer's rights.
2. Right to Know. Under Article 18, the consumer is given a series of rights akin to the
GDPR. The first of these rights, the right to know, addresses businesses having a
distinct responsibility to provide information to the consumer about what data, if any,
is being processed by the entity.
3. Right to Correct. Consumers have the right to correct inaccurate information.
4. Data Portability . Consumers have the right to a copy of their data to port from a data
processing system.
5. Data Deletion. Consumers have a right to have their data deleted, subject to certain
exceptions.
6. Consent. Much like the GDPR, consent must be express, informed, and clear.
Consumers must be given information about what giving their express consent means
as well as the consequences of denying or revoking consent to the processing of their
personal data.
4. Singapore—Personal Data Protection Act (PDPA) (Act 26 of 2012)
Singapore adopted its Personal Data Protection Act (PDPA) way back in 2012 before the
EU’s General Data Protection Regulation (GDPR) made its appearance on the legal stage. It
came into full force on 2 July 2014 and governs the collection, use, disclosure and care of
personal data. It also regulates telemarketing practices through the Do Not Call registry which
allows Singaporeans who sign up for it to opt out of marketing messages on their telephones,
mobile phones and fax machines.
While it may be considered progressive for its time and contains much of the same jargon that
has now become the staple of data protection regulations across the world, the PDPA falls short
of the GDPR’s hard line approach to privacy and personal data protection. It was criticized for its
many exemption clauses and does not have any requirements for special categories of sensitive
data such as those relating to health, race, ethnicity etc.
This particular failing was not without its consequences: in June 2018, Singapore suffered
its worst data breach to date when the personal data of 1.5 million healthcare patients including
that of its Prime Minister, Lee Hsien Loong, was compromised. The Personal Data Protection
Committee (PDPC) tasked with enforcing the PDPA fined Integrated Health Information
Systems (IHIS), the technology agency running the healthcare institutions’ IT systems,
S$750,000 (approx. $540,000) and SingHealth, the data controller, S$250,000 (approx.
$181,000). A probe report found that the data breach was primarily caused by weak
cybersecurity practices.
The PDPC has since announced its intention to update the PDPA’s requirements, most notably,
adding mandatory data breach notifications and data portability to the legislation. It also issued a
number of guides to assist organizations in understanding its approach to regulating Singapore’s
personal data protection regime. Its most recent, released on 22 May 2019, cover data protection
management, active enforcement and managing data breaches.
Business contact information, when used for business purposes and not in a personal capacity, is
not protected by the PDPA. Neither is personal data about an individual that has been in
existence for at least 100 years or personal data about individuals that have been deceased for
over 10 years.
It requires express consent from individuals to collect personal data, but includes no less than 18
exemptions to the rule, which allow organizations to collect personal data without consent.
The PDPA goes a step further than exemptions and also accepts deemed consent as valid
consent. Deemed consent is essentially data provided voluntarily by an individual to an
organization when it is reasonable for the individual to do so. This voluntarily provided data can
then be passed on to another organization for a particular purpose.
Singaporeans have the option of withdrawing consent, even in the case of deemed consent.
However, any legal consequences of the withdrawal have to be borne by the individual who must
be informed of these likely consequences by the organization from whom they request the
withdrawal. Companies are also not obligated to inform third parties of consent withdrawals, so
it falls to the individual to seek them out and withdraw consent from them as well. The
withdrawal of consent cannot be requested if the collection, use or disclosure of the information
is required by law, or if it is necessary for legal or business purposes.
Cross-border data transfers
Organizations can transfer personal information from Singapore to other countries only in
compliance with the PDPA or if they have applied for and received exemption from the PDPC.
Those that need to transfer data across borders in accordance with the PDPA, must ensure that
the country to which the data is being transferred has a comparable level of data protection to the
standards set forth by the PDPA.
Data can also be transferred to other countries if organizations have received consent from the
individual to do so, if data transfer agreements have been put in place or transfers are necessary
for certain prescribed circumstances.
The Penalties
If organizations tamper with personal data or hide information concerning its collection, use or
disclosure, they face a fine not exceeding S$50,000 (approx. $36,000). Any attempts to hinder a
PDPC investigation can lead to a fine of not more than S$100,000 (approx. $72,000). Companies
are also liable for their employees’ actions in the eyes of the PDPA, whether they are aware of
them or not.
The maximum penalty allowed by the PDPA is of S$1,000,000 (approx. $725,000) and, as
shown in the case of the SingHealth data breach, the PDPC is not shy about issuing it.