Overview
This article ensures that international agreements concluded by Member States before 24 May 2016 for the transfer of personal data to third countries or international organizations remain in force until they are amended, replaced, or revoked, provided they comply with Union law as applicable before that date.
Key Principles
Continuity: Existing international agreements remain valid during the transition to GDPR.
Compliance with Union Law: Agreements must align with EU law in effect prior to 24 May 2016.
Transfer of Personal Data: Applies specifically to agreements facilitating cross-border data transfers.
Stability: Ensures uninterrupted international data flows while GDPR takes effect.
Transparency: Provides clarity on the status of pre-existing agreements.
Organizational Applicability
This article applies to:
Member States managing pre-existing international agreements on personal data transfers.
Controllers and processors relying on these agreements for data transfers.
Supervisory authorities overseeing compliance with GDPR and international agreements.
Legal and compliance teams managing cross-border data transfer obligations.
Implementation Requirements
Identify and document international agreements concluded before 24 May 2016.
Verify that agreements comply with Union law applicable at the time of conclusion.
Continue operations under these agreements until amendment, replacement, or revocation.
Ensure oversight and compliance mechanisms are in place to monitor validity and adherence.
Implementation Guidance
Maintain a registry of pre-existing international agreements and their status.
Train staff on legal implications and compliance requirements for continued use.
Coordinate with supervisory authorities to ensure data transfers remain lawful.
Periodically review agreements for potential amendments or revocation needs.
Periodic Review
Frequency: Annually or when agreements are amended, replaced, or revoked.
Responsible Role: Compliance Team, Legal Department, or Data Protection Officer (DPO).
Outcome: Ensure continued lawful cross-border data transfers in compliance with GDPR and prior EU law.
Non-Compliance Risks
Fines: Up to €20 million or 4% of global annual turnover for GDPR violations.
Legal Exposure: Liability for transferring personal data without valid agreements.
Reputational Damage: Loss of trust due to non-compliance in international data transfers.
Operational Risk: Disruption of cross-border operations or enforcement action due to invalid agreements.