Commission Decision

Isle of Man Adequacy Decision

COMMISSION DECISION
of 28 April 2004
on the adequate protection of personal data in the Isle of Man
(notified under document number C(2004) 1556)
(Text with EEA relevance)
(2004/411/EC)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
having regard to the Treaty establishing the European Community,
having regard to Directive 9 5/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (1), and in particular Article 25(6) thereof,
After consulting the Working Party on the Protection of Individuals with regard to the processing of Personal Data (2),
whereas:
(1)
Pursuant to Directive 95/46/EC Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.
(2)
The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3)
Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25(2) thereof.
(4)
Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.
(5)
The Isle of Man is one of the dependencies of the British Crown (being neither part of the United Kingdom nor a colony) that enjoys full independence, except for international relations and defense which are the responsibility of the United Kingdom Government The Isle of Man should therefore be considered as a third country within the meaning of the Directive.
(6)
At the island's request, with effect from May 1993, the United Kingdom's ratification of the Council of Europe Convention on the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No 108) was extended to the Isle of Man.
(7)
As regards the Isle of Man, the legal standards on the protection of personal data based on the standards set out in Directive 95/46/EC have been provided for in the Data Protection Act 2002 (”the Act”), which entered into force on 1 April 2003. This Act repeals and replaces the Data Protection Act 1986 (”the 1986 Act”).
(8)
Other laws which impact or are likely to impact upon data protection include the Human Rights Act 2001, which was passed by Parliament on 16th January 2001 and is not yet fully in force and the Access to Health Records and Reports Act 1993.
(9)
The legal standards applicable in the Isle of Man cover all the basic principles necessary for an adequate level of protection for natural persons. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authorities, such as the Data Protection Commissioner invested with powers of investigation and intervention.
(10)
The Isle of Man should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.
(11)
In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(12)
The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION: