Cross-border data transfer

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Before an APP entity discloses personal information to an overseas recipient, the entity must take reasonable steps to ensure that the overseas recipient does not breach the APPs in relation to the information (APP 8.1). There are exceptions to the requirement in APP 8.1 to take reasonable steps and to the accountability provision in s 16C.

Note: an APP entity that discloses personal information to an overseas recipient is accountable for any acts or practices of the overseas recipient in relation to the information that would breach the APPs (s 16C).

Last modified 18 Oct 2022

Where the clinical trial data is key-coded and it is not possible to re-identify the data, such data are not personal data and thus international data transfer regulations do not apply.

However, where the re-identification of the participants’ personal data is possible, international data transfer requirements including adequate guaranteed measures must be met if the recipient is in a country which does not offer an adequate level of protection according to the GDPR (this especially concerns requirements set out by Article 44 et seq. GDPR together with the ECJ Schrems II decision).

Last modified 27 Feb 2023

Unless the data is anonymized, data transfers outside the European Union are in principle prohibited, unless an adequate level of protection is ensured through an adequacy decision or appropriate safeguards (e.g. standard contractual clauses) are applied or a derogation under Article 49 GDPR exists. Where standard contractual clauses are used, a transfer impact assessment must be performed.

Last modified 15 Sep 2022

Pursuant to the Law, heath data, i.e., clinical trial data, falls under the category of special data, whose processing (which also implies transfer) is generally prohibited. However, processing of special data is allowed if inter alia the data subject has explicitly granted their consent.

Under the assumptions that the data subject has granted their consent, and that the data processing agreement is concluded between the controller and the processor, health data may be transferred to another country that implements adequate safeguards for personal data set by the Law.

Adequacy of safeguards is evaluated on the basis of specific characteristics of each particular transfer, such as the types of personal data, purpose and period of the processing, country to which data is to be transferred, statutory rules in force in the respective country and other relevant circumstances.

Generally, it is considered that the EU countries and signatories to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, undertake adequate safeguards, so that the data may be transferred to them.

Further, personal data may also be transferred to a country which does not provide adequate safeguards in the aforementioned sense, among others in the following cases envisaged by the Law: (i) prior consent was obtained from the person whose data are transferred and the person was informed on the potential consequences of the data transfer; (ii) the disclosure of personal data is necessary for fulfilling the contract between the data subject and the controller or the fulfilment of pre-contractual obligations undertaken at the request of the person whose data are processed.

Exceptionally, even if none of the aforementioned cases is applicable, the data can be legitimately transferred out of BH if the DPA approves such transfer if a data controller in that country provides adequate safeguards for the protection of privacy and fundamental rights and freedoms of individuals or provision of similar rights arises from the provisions of a special agreement.

Last modified 18 Oct 2022

If it is impossible for the recipient of key-coded clinical trial data to have access to a key needed for decoding, such data will not be considered as personal data in the scope of the GDPR, and thus, strict EU regulations regarding international transfers of personal data are not applicable.

If, however, the data can be considered as “personal data” as defined by the GDPR (and the CJEU’s decision cited above), international data transfers may only be carried out in full compliance with the GDPR, and should be based on either:

  • Appropriate safeguards (most commonly the EU Commission Standard Contractual Clauses coupled with a transfer impact assessment); or
  • A derogation under Article 49 GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).

 

Last modified 18 Oct 2022

Assuming the clinical trial data is not anonymized, transfers to countries outside of the EU which do not benefit from an adequacy decision approved by the EU Commission should be based on either:

  • Appropriate safeguards (most commonly the EU Commission Standard Contractual Clauses coupled with a transfer impact assessment; or
  • A derogation under Article 49  GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).

Last modified 15 Sep 2022

Where clinical trials are conducted on the basis of section 10(1) of the Danish Data Protection Act (see also question 4 above), international transfer of clinical trial data constituting personal data requires prior approval from the Danish Data Protection Agency. This also applies to disclosure of biological material and disclosure of information for the purpose of publication in recognized scientific journals or similar, regardless if the recipient is within our outside EU.

Where clinical trials are conducted using a different legal basis than section 10 of the Danish Data Protection Act, the general rules on export of personal data as laid down in chapter V of GDPR must be observed. Therefore, the data exporter must ensure that the data subjects will – also in the countries to which data are exported – enjoy a level of protection that is essentially equivalent to the level of protection within EU. This will always involve the application of a valid transfer mechanism as per GDPR article V, but would also require supplementary measures in situations, where the legislation in the countries of destination does not provide sufficient protection, as per the ruling of the European Court of Justice in the case C-311/18. 

Key-coded data will still be considered personal data, but key-coding may serve as a supplementary measure (as referred to above), provided that the key is protected by measures ensuring that it can never become available to the data importers.

Last modified 15 Sep 2022

The transfer needs to be made in accordance with GDPR Chapter V, meaning that the transfer should be based on appropriate safeguards, for example standard contractual clauses and appropriate supplementary safeguards should be implemented if needed. 

Last modified 18 Oct 2022

Subject to recent development further to Schrems II decision, the MR-001 and MR-003 provides the following:

Data that indirectly identifies research subjects and data that directly or indirectly identifies research professionals may be transferred out of the European Union when the transfer is strictly necessary to conduct the research or to exploit its results and complies with Chapter V of the GDPR.

The transfer may be made in connection with the commitment to comply with this  methodology when any of the following conditions is satisfied:

  • The transfer is made to a country or an international organization recognized by the European Commission as providing an adequate level of protection, in accordance with Article 45 of the GDPR (adequacy decision);
  • The transfer is made subject to the appropriate safeguards listed in Article 46(2) of the GDPR (in particular: standard data protection clauses approved by the European Commission, binding corporate rules, codes of conduct, and certification mechanisms);
  • In the absence of an adequacy decision or appropriate safeguards, the transfer may be based on one of the exceptions set out in Article 49 of the GDPR when such a transfer is not repetitive, concerns only a limited number of data subjects, and is not structured.

The controller must have informed the data subjects in advance of the transfer of their personal data to third countries outside the European Union, of the existence or absence of an adequacy decision or appropriate safeguards, and of the means to obtain a copy of the appropriate or suitable safeguards in accordance with Article 13(1)(f) of the GDPR.

Last modified 18 Oct 2022

In those cases where  the clinical trial data is key-coded and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR. In particular, the requirements under Art 44. et seqq. GDPR alongside the Schrems II case law of the European Court of Justice shall be met.

Last modified 25 Oct 2022

Provided that re-identification of the participants’ personal data is possible and therefore data protection legislation is applicable, restrictions laid down in Chapter V of the GPDR and conditions set forth therein shall apply.

This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

  • There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
  • The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

Last modified 14 Sep 2022

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the data (i.e. the personal data is anonymous), the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to personal data (incl. international transfers thereof) are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

  • There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
  • The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

Last modified 14 Sep 2022

In those cases where it is not possible to re-identify the data subject, i.e. where the health data collected is truly anonymized, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, i.e. where the health data are pseudonymized, international data transfer rules (as set out in Chapter V of GDPR) shall be applicable to any transfers outside of the EEA or to a jurisdiction or international organization which is not subject to an adequacy decision.

In short, these data transfers must be subject to appropriate safeguards, required country assessments and adequate technical and security measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR.

Last modified 14 Sep 2022

Assuming the clinical trial data is not anonymized, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

  • There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
  • The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.

Last modified 31 Aug 2022

As no specific guidelines have been approved in Luxembourg, the general requirements for international transfers of Article 45 and following GDPR have to be followed:

  • If the country offers an adequate level of protection as assessed by the European Commission, then no transfer tool will be necessary.
  • If the country does not offer an adequate level of protection, then the appropriate measures (transfer tools) have to be put in place.

The Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data published by the EDPB are a good instrument for compliance. Also the CNPD has published its Guidelines on International Data Transfers that should be followed.

In any case, it should be borne in mind that this only would apply where there is personal data concern. If the data transferred is completely anonymized or provided only in aggregate, as it could be the case for many clinical trials, then the GDPR rules will not be applicable.

Last modified 14 Sep 2022

Key-coded non-personal data

Transfer of clinical trial key-coded data which does not enjoy status of personal data is not subject to the transfer provisions of the DP Law.

Personal data

On the other hand, transfer of personal data arising from clinical trial is subject to the general transfer provisions of the DP Law.

Under the DP Law, personal data may be transferred to countries or international organizations which provide for an adequate level of personal data protection exists, but only subject to the approval of the DPA. The DPA issues such approval only where it establishes that adequate measures for the protection of personal data are undertaken (criteria for the adequacy assessment include, for example, the type of the data and the statutory rules in force in the country to which the data is to be transferred).

However, in certain cases the DPA's approval is not required for data transfers out of Montenegro, as explicitly prescribed by the DP Law (e.g., if the data subject consented to the transfer and was made aware of possible consequences of such transfer, or the data is transferred to the European Union or European Economic Area or to any country that the EU Commission has determined ensure adequate level of the data protection).

Last modified 19 Oct 2022

The DP Law prescribes different rules on cross-border data transfer, depending on the country of the recipient.

When transferring personal data, including clinical trial data, to the EU or EEA, the data controller or processor must notify the local data protection authority at least 15 days before the transfer occurs.

Transferring personal data to a third country or international organization may be conducted only if the local data protection authority deems that the third country or international organization provides adequate levels of protection. The DP Law prescribes the following safeguards: (i) transfer of data based on an adequacy decision; (ii) transfers of data which are subject to appropriate safeguards; (iii) binding corporate rules; (iv) transfers or disclosure pursuant to international agreements. In specific situations, such transfer may occur upon fulfillment of certain conditions prescribed with the DP Law (such as explicit consent of the data subject, execution of a contract between the controller and data subject, etc.).

In practice, the local data protection authority insists on approving each of the above transfers. Furthermore, since 01 January 2022, the data protection authority requires that each request for approval of cross-border data transfer, aside from the legal ground for such transfer, is also accompanied by a Transfer Impact Assessment. Note that an approval is not required if the controller uses binding corporate rules of the group to which the controller belongs, if the same have been approved by the European Commission.

Last modified 18 Oct 2022

Transfer of clinical trial data would be dependent on the general rules in the GDPR and national regulation regarding the duty of confidentiality. 

If an international study the participants abroad will be considered parties in the project and the P.I must make sure the data is processed in compliance with the GDPR internationally. 

Last modified 31 Aug 2022

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the participants (see our answers above), the information transferred would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data would not be applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer must comply with Art. 45 and further of the GDPR, in particular, if the recipient is located in a country which does not offer an adequate level of protection to GDPR, appropriate safeguards must be ensured.

No specific local laws nor guidelines in this regard, other than GDPR and EDPB’s guidelines were published on this subject.

Last modified 31 Aug 2022

Assuming that re-identification of the participants’ personal data is possible, international transfers shall comply with GDPR requirements.

Last modified 31 Aug 2022

International data transfer shall be based on adequate safeguards if the recipient is located in a country which does not offer an adequate level of protection for personal data.

Last modified 31 Aug 2022

Key-coded non-personal data

Transfer of clinical trial key-coded data which does not enjoy status of personal data is not subject to the transfer provisions of the DP Law.

Personal data

On the other hand, transfer of personal data arising from clinical trial is subject to the general transfer provisions of the DP Law. Transfer provisions in the DP Law generally follow the ones from the GDPR, and provide that controller or processor may rely on the following mechanisms to convey a lawful transfer:

  1. Transfer based on adequate level of protection – A transfer of personal data to another country may be performed without prior approval if it is determined that such other country provides an adequate level of protection of personal data. In short, this includes all European countries, as well as the ones which are included on the EU’s or the Serbian Government’s list of countries providing an adequate level of data protection.
  2. Transfer with appropriate safeguards – In order to undertake a lawful transfer in territories which do not fulfil adequate level of protection, controller and/or processor will have to ensure that any of the safeguards are implemented (including e.g., standard contractual clauses (SCCs) prepared by the Serbian Data Protection Authority (the “DPA”), binding corporate rules (BCRs) or codes of conduct (CoCs)).
  3. Transfer in specific situations (so-called residual mechanism) – such as data subject’s explicit consent, necessity for the establishment, exercise or defence of legal claims, legitimate interests etc.

It is practically important to notice that unlike the GDPR, the DP Law insists on appropriate authorisation of the relevant transfer safeguards/legal grounds (e.g., SCCs, BCRs, CoCs) by the DPA/Serbian authorities, rather than by the EU Commission/EU supervisory authorities.

For example, the SCCs, BCRs and codes of conduct can be used for transfers from Serbia to third countries, but only if they are approved by the DPA, meaning that the ones approved by the EU authorities would not be sufficient.

Finally, the DP Law recognises only the Controller-to-Processor SCCs, while the European Commission’s SCCs cover all mutual relations between controllers and processors (Controller-to-Processor, Controller-to- Controller, Processor-to-Controller, and Processor-to-Processor), and enable more than two parties to join in on the clauses.

Last modified 19 Oct 2022

In those cases where the clinical trial data is key-coded and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, the regulations that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR. Thus, cross-border transfers must be carried out in accordance with Articles 45 et seq. of the GDPR.  This means that personal data, including health data, can be lawfully transferred in case one of the following requirement is met:

  • There is a European Commission Adequacy Decision, stating that the recipient country provides adequate protection for individuals’ personal data; or
  • The data exporter and importer (i) adopted appropriate safeguards pursuant to Articles 46 et seq. of the GDPR (e.g. Standard Contractual Clauses, Binding Corporate Rules, etc.), (ii) conducted a proper transfer impact assessment pursuant to EDPB’s recommendations 1/2020, and (iii) implemented further adequate contractual, organizational, and technical measures, as needed according to said transfer impact assessment.

Moreover, Article 49 of the GDPR provides for possible exceptions to the above-mentioned requirements, that can be applied only whether specific circumstances are met.  

Last modified 31 Aug 2022

In those cases where the clinical trial data is completely anonymized and it is not possible to re-identify the data, the information received by the recipient would not be considered as personal data, and thus, GDPR's restrictions that apply to international transfers of personal data are not applicable.

In those cases where the re-identification of the participants’ personal data is possible, international data transfer shall count with adequate guarantee measures if the recipient is located in a country which does not offer an adequate level of protection to GDPR.

Last modified 31 Aug 2022

Assuming the clinical trial data is not anonymized, transfers to countries outside of the UK which do not benefit from an adequacy decision approved by the UK Government1 should be based on either:

  • Appropriate safeguards (most commonly either (i) the EU Commission Standard Contractual Clauses, as amended by the UK International Data Transfer Addendum; or (ii) the UK International Data Transfer Agreement).
  • A derogation under Article 49 UK GDPR.  For example, it may be possible to justify transfers of personal data necessary for pharmacovigilance purposes on the basis of Article 49(1)(d) (important reasons of public interest).
[1] At the date of writing, this includes all EU and EEA states, as well as all countries benefitting from an EU Commission adequacy decision in force as at 31 December 2020.

Last modified 31 Aug 2022

Albania

Albania

Has the local regulator published any guidelines/regulations addressing privacy matters on clinical trials and/or pharmacovigilance? ('Regulator' may mean either the local data protection authority, or the local medicines authority.)

Yes, with regard to clinical trials. The Albanian Data Protection Commissioner (“Commissioner”) has approved Instruction no. 18 as of 03.07.2012 “On the processing of personal data in the context of clinical trials of drugs” (“Instruction no. 18”).

The instruction is available online.

No guidelines or regulations have been published with regard to pharmacovigilance.

Last modified 18 Oct 2022

Albania

Albania

Do the privacy laws and regulations applicable to clinical trials in your jurisdiction provide for extraterritorial applicability?

No.

Law no. 9887 “On the Protection of Personal Data”, as amended (Data Protection Law) does not provide an extraterritorial applicability. 

However, the domestic Data Protection Law does extend to controllers located outside the territory of the Republic of Albania who process personal data with “means” located within the territory of the Republic of Albania. The law does not provide any definition of “means” however the Commissioner has confirmed verbally on several occasions that “means” shall be understood as anything from equipment (i.e., servers), apps or persons located in Albania to collect personal data.

In case the controller (i.e., sponsor) is located outside the Republic of Albania, it must appoint a designated representative located within the territory of the Republic of Albania.

Last modified 18 Oct 2022

Albania

Albania

What is the preferred legal ground for the processing of the personal data of the participants in a clinical trial in your jurisdiction?

Article 4.2 of the Instruction no. 18 states that personal data is processed only if consented by the test subject. Therefore, consent is a mandatory legal ground for processing of the personal data. Further, based on article 4.3 of Instruction no. 18, personal data of clinical trial participants can be processed only for the following purposes:

  • If necessary for granting the registration permit of a drug;
  • To prove the clinical effect and safety of a drug during the scientific research process;
  • To reassess the efficiency and safety of a drug after its release in the market.

Last modified 18 Oct 2022

Albania

Albania

What is the legal ground for the processing of the personal data in respect of pharmacovigilance in your jurisdiction?

The processing of patients’ personal data in respect of pharmacovigilance activities is based on the existence of a legal obligation based on Article 6.1. of the Data Protection Law.

In cases of adverse effects of a certain medicine/drug, the legal ground for conducting data processing activities can also be considered the protection of vital interests of the data subject (Article 6.1.c of the Data Protection Law).

Last modified 18 Oct 2022

Albania

Albania

Indicate the role from a data protection perspective of various parties involved (i.e in respect of the processing of the personal data of the clinical trial).

Role Notes
Sponsor

Data controller of the participants' data.

Principal Investigator

Data controller of the participants’ data in connection to data processing activities that arise from the performance of investigation activities.

Clinical Trial Site

Data controller for the purpose of helping the investigation.

Monitor

Sponsor's data processor monitoring the investigation.

CRO Sponsor's data processor when performing activities that involve access by the CRO to the participants data.

Last modified 18 Oct 2022

Albania

Albania

Is key-coded clinical trial data considered personal data under your jurisdiction’s data protection laws? (Key-coded clinical trial data is where the identity of the individual clinical trial participant is replaced with a unique subject identification code, and the ‘key’ which can be used to re-identify the participant is held by the Principal Investigator.)

Yes.

There is no definition of key-coded information under the Data Protection Law, however as long as the key-coded information is accessible through a “key”, data subjects are at some point or somehow identified/identifiable regardless of who is holding the key to access the information, therefore key coded information is considered personal data under the Data Protection Law.

Last modified 18 Oct 2022

Albania

Albania

Is it possible to re-use the personal data obtained for the purposes of conducting the clinical trial? If so, what requirements need to be satisfied?

Yes.

It is possible to re-use the personal data obtained for the purpose of conducting clinical trials conditional as a general rule only upon consent of the data subject. Other legal grounds for the processing need to be satisfied in a case-by-case basis (e.g., protection of vital interests of the data subject).

Hence, if the consent and/or the legal ground for processing of data extends to the re-use/ re-processing scenario, there is no need to obtain a second consent or to conduct processing on different legal grounds as there is already a valid legal ground in place for processing of personal data i.e., in case of research for the same purpose.

In light of the above, please consider that the consents given and/or the legal ground allowing the processing of data obtained for the purpose of conducting clinical trials do not automatically and in any case, extend to the re-use of the personal data for other/latter purposes unless those are specified.

Last modified 18 Oct 2022

Albania

Albania

What requirements, if any, need to be satisfied if clinical trial data is transferred internationally?

As with health data, clinical trial data are considered sensitive data. Any processing (including transfer) of sensitive data is expressly prohibited. However, processing of sensitive data is allowed in certain exceptional cases prescribed by the Data Protection Law, among others, if the data subject has given his/her consent.

Generally speaking, international data transfer is only limited to those countries offering adequate levels of data protection as provided by the Decision of the Council of Ministers no.934, dated 2 September 2009 “On the determination of the countries which have a sufficient level of personal data protection” i.e., EU and EEA member states; signatory countries of the Strasbourg convention etc.

However, as an exception, international data transfer may take place freely even if made to a country which does not provide adequate protection provided the data subject has granted consent. Other exceptions include scenarios where the international transfer is necessary for the performance of a contract between the data subject and the data controller or in case the transfer is a legal obligation of the controller; the international transfer is necessary for protecting vital interests of the data subject; the transfer constitutes a legal requirement over an important public interest or, for exercising and protecting a legal right; the transfer is done from a register that provides information to the general public etc.

Exceptionally, if none of the scenarios above are applicable, international data transfer is also possible with the prior authorization of the Commissioner, if the Commissioner is satisfied that adequate safeguards with relation to privacy and other fundamental rights of the data subject are in place. The Commissioner can additionally provide for conditions and obligations under which the data transfer should take place.

Last modified 18 Oct 2022

Albania

Albania

Anisa Rrumbullaku

Partner

Karanovic & Partners

T: +355 69 20 42 722[email protected]
Sirius Tartari

Karanovic & Partners

[email protected]