(1)
Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer.
(2)
The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(7)
The legal standards for the protection of personal data in New Zealand are primarily set out in the Privacy Act, as amended by the Privacy (Cross-border Information) Ammendement Act of 7 September 2010 (Public Act No 113 of 2010). It predates Directive 95/46/EC, and is not limited to automatically processed data or structured data in a filing system, but covers all personal information in whatever shape or form. It covers the entire public and private sectors, with a few specific public interest exceptions that one would expect in a democratic society.
(11)
The application of the legal data protection standards is guaranteed by administrative and judicial remedies, and by independent supervision carried out by the supervisory authority, the Privacy Commissioner, who is endowed with the kinds of powers set out in Article 28 of Directive 95/46/EC, and who acts independently. Moreover, any interested party is entitled to seek judicial redress for compensation for damages suffered as a result of the unlawful processing of his personal data.
(12)
New Zealand should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.
(13)
This decision should concern the adequacy of protection provided in New Zealand with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC. It should not affect other conditions or restrictions implementing other provisions of the Directive that pertain to the processing of personal data within Member States.
(14)
In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(15)
The Working Party on the protection of individuals with regard to the processing of personal data established under Article 29 of Directive 95/46/EC has delivered a favourable opinion on the level of adequacy as regards protection of personal data in New Zealand (2), which has been taken into account in the preparation of this Implementing Decision.
1. For the purposes of Article 25(2) of Directive 95/46/EC, New Zealand is considered as ensuring an adequate level of protection for personal data transferred from the Union.
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in New Zealand in order to protect individuals with regard to the processing of their personal data in the following cases:
For the Commission
Viviane REDING
Vice-President
(1) OJ L 281, 23.11.1995, p. 31.
(2) Opinion 11/2011 dated 4 April 2011 on the level of protection of personal data in New Zealand. Available at http://ec.europa.eu/justice/data-protection/article-29/documentation/opinion-recommendation/files/2011/wp182_en.pdf
ANNEX
Competent supervisory authority referred to in Article 1(2) of this Decision:
Privacy Commissioner:
Te Mana Matapono Matatapu
Level 4
109-111 Featherston Street
Wellington 6143
New Zealand
Tel: +64-4-474 7590
Contact e-mail: enquiries@privacy.org.nz
Website: http://privacy.org.nz/