FACTA For the purposes of this litigation, Money International hired a Suriname based lawyer The lawyer has proposed that MI provides them with remote access to all relevant databases on the Dutch servers, so that they can select the information most relevant for this discovery request Your role You are a Data Protection Officer of Money International in the Netherlands You were asked to provide MI's legal department with a recommendation on minimizing the GDPR compliance risks and MI's exposure to enforcement Before writing your memorandum, consider two possible options In the first situation, MI selects relevant information in the Netherlands and sends information directly to Monique Lin in Suriname In the second situation, MI provides its lawyer in Suriname with remote access to its servers in the Netherlands The information selected by the lawyer is then transferred to the lawyer in Suriname and shared by the lawyer with Monique Lin QUESTIONS ANSWER IN 1200 WORDS Relying on the readings and the discussion in this module, write a memorandum that addresses the following Identify relevant transfers of personal data (as defined by the GDPR) in each of the situations Identify the legal mechanisms for transfer of personal data under the GDPR that are most appropriate for data transfers in each of the situations and under what conditions There are three types of mechanisms applicable to cross border transfers in a business setting Adequacy decisions regulated in Article 45 of the GDPR Appropriate safeguards listed in Article 46 Derogations for specific situations listed in Article 49 ADEQUACY When evaluating the adequacy of a foreign country's legal protection of personal data the European Commission must take into account multiple factors listed in paragraph 2 of Article 45 GDPR These factors include, for example Whether there is an independent data protection authority Whether access to privately held personal data by public authorities (e g , for government surveillance or law enforcement purposes) is limited to what is strictly necessary Whether the foreign legal framework provides for effective access to courts for individuals to protect their data protection rights Appropriate Safeguards In the absence of an adequacy decision, controllers and processors may transfer personal data outside the EU on the basis of appropriate safeguards listed in Article 46 These include, for example binding corporate rules (BCRs) codes of conduct adopted by a group of companies and approved by relevant DPAs Note For the purposes of this exercise, assume that compelling legitimate interest is not available as a legal basis standard data protection clauses, most commonly referred to as Standard Contractual Clauses, adopted by the European Commission Instructions When companies conducting business internationally are involved in litigation, providing information to the other party in litigation or to the court in a foreign country often involves transfers of personal data The reason for this is that multinational companies often centralize storage of their data in one of their locations (often the location of their headquarters) or with a cloud service provider Case An international bank Money International (MI) with offices in the Netherlands and Suriname, among others, has filed a claim against a Suriname borrower (Monique Lin) in default in Suriname Monique Lin has sent a discovery request to MI, which has the status of a court order, requiring that several documents relevant to the case be made available to Monique Lin, who lives in Paramaribo Most of the documents contain personal data of Monique Lin and other individuals In particular, information about Lin's financial transactions (which would also include personal data of other parties to the transaction), but also internal communication between bank employees concerning his case All the relevant documents are stored in MI's data center in the Netherlands DEROGATIONS derogations under Article 49 unlike the adequacy mechanism and appropriate safeguards can only be relied on for occasional and non repetitive transfers (but not necessarily one single transfer) The EDPB takes the position that such derogations are not suitable for regular and systematic transfers Derogations under Article 49, most relevant in practice, are 1 the explicit consent of data subjects 2 the necessity for the performance of a contract between the data subject and the controller 3 the necessity for the conclusion or performance of a contract concluded in the interest of a data subject between a controller and another natural or legal person 4 the necessity for the establishment, exercise or defense of legal claims 5 Compare the GDPR compliance risks (i e , exposure to enforcement) in each of the two situations and recommend the one that is the least risky GIVE YOUR REFERENCE AND ANSWER IN 800 WORDS

The Answer is in the image, click to view ...

Answered step by step

Verified Expert Solution

Link Copied!

Question

1 Approved Answer

Posted on Jun 20, 2024

FACTA For the purposes of this litigation, Money International hired a Suriname-based lawyer. The lawyer has proposed that MI provides them with remote access to

FACTA For the purposes of this litigation, Money International hired a Suriname-based lawyer. The lawyer has proposed that MI provides them with remote access to all relevant databases on the Dutch servers, so that they can select the information most relevant for this discovery request.

Your role:

You are a Data Protection Officer of Money International in the Netherlands. You were asked to provide MI's legal department with a recommendation on minimizing the GDPR compliance risks and MI's exposure to enforcement. Before writing your memorandum, consider two possible options:

In the first situation, MI selects relevant information in the Netherlands and sends information directly to Monique Lin in Suriname
In the second situation, MI provides its lawyer in Suriname with remote access to its servers in the Netherlands. The information selected by the lawyer is then transferred to the lawyer in Suriname and shared by the lawyer with Monique Lin.

QUESTIONS: ANSWER IN 1200 WORDS.

Relying on the readings and the discussion in this module, write a memorandum that addresses the following:

Identify relevant transfers of personal data (as defined by the GDPR) in each of the situations.
Identify the legal mechanisms for transfer of personal data under the GDPR that are most appropriate for data transfers in each of the situations
and under what conditions.

There are three types of mechanisms applicable to cross-border transfers in a business setting:

Adequacy decisions regulated in Article 45 of the GDPR
Appropriate safeguards listed in Article 46
Derogations for specific situations listed in Article 49

ADEQUACY

When evaluating the adequacy of a foreign country's legal protection of personal data the European Commission must take into account multiple factors listed in paragraph 2 of Article 45 GDPR. These factors include, for example:

Whether there is an independent data protection authority
Whether access to privately held personal data by public authorities (e.g., for government surveillance or law enforcement purposes) is limited to what is "strictly necessary"
Whether the foreign legal framework provides for effective access to courts for individuals to protect their data protection rights

Appropriate Safeguards

In the absence of an adequacy decision, controllers and processors may transfer personal data outside the EU on the basis of appropriate safeguards listed in Article 46. These include, for example:

binding corporate rules (BCRs): codes of conduct adopted by a group of companies and approved by relevant DPAs
- Note: For the purposes of this exercise, assume that compelling legitimate interest is not available as a legal basis.

standard data protection clauses, most commonly referred to as Standard Contractual Clauses, adopted by the European Commission Instructions

When companies conducting business internationally are involved in litigation, providing information to the other party in litigation or to the court in a foreign country often involves transfers of personal data. The reason for this is that multinational companies often centralize storage of their data in one of their locations (often the location of their headquarters) or with a cloud service provider.

Case:

An international bank Money International (MI) with offices in the Netherlands and Suriname, among others, has filed a claim against a Suriname borrower (Monique Lin) in default in Suriname. Monique Lin has sent a discovery request to MI, which has the status of a court order, requiring that several documents relevant to the case be made available to Monique Lin, who lives in Paramaribo.

Most of the documents contain personal data of Monique Lin and other individuals. In particular, information about Lin's financial transactions (which would also include personal data of other parties to the transaction), but also internal communication between bank employees concerning his case. All the relevant documents are stored in MI's data center in the Netherlands.

DEROGATIONS:

derogations under Article 49 - unlike the adequacy mechanism and appropriate safeguards - can only be relied on for occasional and non-repetitive transfers (but not necessarily one single transfer). The EDPB takes the position that such derogations are not suitable for regular and systematic transfers.

Derogations under Article 49, most relevant in practice, are:

1.the explicit consent of data subjects

2.the necessity for the performance of a contract between the data subject and the controller

3.the necessity for the conclusion or performance of a contract concluded in the interest of a data subject between a controller and another natural or legal person

4. the necessity for the establishment, exercise or defense of legal claims

5. Compare the GDPR compliance risks (i.e., exposure to enforcement) in each of the two situations and recommend the one that is the least risky.

GIVE YOUR REFERENCE AND ANSWER IN 800 WORDS