login
login
Image header Agence Europe
Europe Daily Bulletin No. 13895
Contents Publication in full By article 11 / 42
SECTORAL POLICIES / Digital

Digital Omnibus’ - transfers of personal data to third countries would be authorised for tax cooperation purposes

The new compromise text on the ‘Digital Omnibus’ legislative package, submitted by the Cyprus Presidency of the Council of the European Union to the Member States, introduces a new possibility allowing the transfer of personal data to third countries for tax cooperation purposes, as requested by several delegations. This amendment is among the adjustments made to the sixth compromise proposal drawn up by the Cyprus Presidency, with a view to an agreement by the Member States’ ambassadors (Coreper) on 26 June (see EUROPE 13893/15).

The Cyprus Presidency has proposed a “slight amendment” to Article 49 of the General Data Protection Regulation (GDPR), concerning derogations applicable in specific situations. “Transfers of personal data to third countries or international organisations may be necessary for important reasons of public interest within the meaning of Article 49”, notably in order to comply with “international agreements or administrative arrangements on mutual assistance or tax cooperation concluded by a Member State with a third country or an international organisation”, where personal data are exchanged periodically or automatically, a new recital 40b states. If the authorities consider that “the rights and freedoms of the data subject override the public interest pursued by the transfer ”, it must not take place.

Details concerning the disclosure to a third party of data that have been pseudonymised. The new text, consulted by Agence Europe, provides further details concerning the GDPR and the onward transfer or making available of personal data that have been pseudonymised to a third party that “holds or can reasonably obtain the means to identify the data subject”. In that case, those data will be regarded as data relating to an “identifiable” person, under the new Article 29. “Data which, in themselves, are not personal data may become personal data when they are made available to other persons who have means reasonably likely to enable the identification of the data subject. This applies both to the party transmitting those data and to the third party that subsequently processes them”, the revised recital 27 states.

Clarification regarding the derogation from the prohibition on processing biometric data. In addition, a new clarification added to recital 34 provides that a derogation from the prohibition on processing biometric data laid down in Regulation (EU) 2016/679 may also be authorised where verification of the declared identity of the data subject is necessary for the pursuit of a legitimate objective of the controller, subject, where appropriate, to suitable safeguards laid down by Union law or the applicable national law.

Among the other amendments is a change to Article 37 removing the obligation to communicate to the supervisory authorities the contact details of the Data Protection Officer (DPO), and an amendment to the regulation applicable to the European Union Institutions, Bodies and Agencies (EUDPR) to ensure consistency with the complete deletion of Article 88a of the GDPR.

Lastly, the text makes an adjustment to Article 23b concerning the national entry point that Member States will have to put in place “in order to support and facilitate” the notification of cybersecurity incidents and data breaches. (Original version in French by Ana Pisonero Hernández)

Contents

SECTORAL POLICIES
ECONOMY - FINANCE - BUSINESS
SOCIAL AFFAIRS - EMPLOYMENT
IRISH PRESIDENCY OF THE COUNCIL OF THE EUROPEAN UNION
SECURITY - DEFENCE
EXTERNAL ACTION
COURT OF JUSTICE OF THE EU
COUNCIL OF EUROPE
NEWS BRIEFS
Kiosk