Browsing by Author "Ferreira Miranda, Luiza"

The European Union’s data protection legislation has been under development for many years. The society changed and the need for a contemporary legislation arrived. Therefore, after many years of discussions and debates, the Directive 95/46/EC was repealed by the EU Regulation 2016/67 (GDPR,), effective as from 25 May 2018. The GDPR is committed to bring strength regarding the protection of individual’s personal data and also modernize the current business operational model, therefore, once the cross-border transfer plays an important role in such business the present paper aims to analyse (i) what is the process under European legislation when transferring personal data to third-countries, (ii) how the companies can ensure compliance under the GDPR, and (iii) what are the consequences for non-compliance from a business and legal points of view. The process for transferring personal data to a third country is well established under Section V of the GDPR. The Regulation now formally brings, for example, the mechanism of Binding Corporate Rules in its scope, and also provides further guidance on how data exporters must act when willing to have the personal data sent out of European Union or European Economic Area. The present research paper determined that the process to have Transborder flow (i) is now more straightforward, because it formally brings alternative methods and solutions for the companies to lawfully transfer such data, (ii) it is also more harmonised than before, because it has direct effect in the Member States' legislations, (iii) it is more effective, once the supervisory authorities holds more power and autonomy to act independently, and (iv) it is more severe on regards of its enforcement, due to the value of the administrative fines that can be imposed by the authorities. The lack of real case-laws and practical discussions conducted the author to make many assumptions and choose a more descriptive approach instead of providing clear implications of the new Regulation. Therefore, the conclusions are based on the comparison of the old Directive and the new Regulation, as well as practical experience in dealing with privacy on a regular basis. Nevertheless, it will be necessary more time after the GDPR comes into force in order to define if the new legislation is effective as expected, and if the cross-border transfer to third-countries actually safeguards the same European level of data protection or not.