On August 10, 2017, the Superintendence of Industry and Commerce presented a new regulation under the country's recently enacted international data transfer law. Specifically, the new circular explicitly sets forth the standards that must be considered when deciding if a country has an adequate data protection level, as well as a list of countries that have been deemed to meet such criteria. The circular also defines specific parameters for requesting a declaration of conformity from the Superintendence of Industry and Commerce.
In particular, the new regulation contains the following provisions:
1. Standards for determining if data protection level is adequate:
To determine whether a country's data protection level is adequate, the following standards must be considered:
(i) the existence of binding regulations applicable to the processing of personal data;
(ii) the legal recognition of principles applicable to data processing, the rights of data subjects and the duties of both data controllers and processor;
(iii) the existence of judicial and administrative means and channels to ensure the effective enforcement of the law and the rights of data subjects; and
(iv) the existence of competent authorities in charge of supervising the processing of personal data and enforcing applicable legislation. Lastly, to ensure the legitimacy of the international data transfer, it is the obligation of data controllers to verify that the recipient country complies with the aforementioned standards.
Countries offering adequate levels of data protection:
According to the circular, the following countries are regarded as offering an appropriate level of data protection: Austria, Belgium, Bulgaria, Cyprus, Costa Rica, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Iceland, Italy, South Korea, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Peru, Poland, Portugal, Spain, Slovakia, Slovenia, United Kingdom, United States, Romania, Serbia, Sweden, and any countries that the European Commission regards as having an adequate level of data protection.
Procedures related to the request of declarations of conformity:
A data controller that is unable to justify an international data transfer through the standards of an adequate level of protection, the listing of countries offering an adequate level of protection, or certain exceptions established in the law, the data controller must request a declaration of conformity...