2008/393/EC: Commission Decision of 8 May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey (notified under document number C(2008) 1746) (Text with EEA relevance)
OJ L 138, 28.5.2008, p. 21–23 (BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
BG CS DA DE EL EN ES ET FI FR HU IT LT LV MT NL PL PT RO SK SL SV
|Bilingual display: BG CS DA DE EL EN ES ET FI FR HU IT LT LV MT NL PL PT RO SK SL SV|
of 8 May 2008
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey
(notified under document number C(2008) 1746)
(Text with EEA relevance)
THE COMMISSION OF THE EUROPEAN COMMUNITIES,
Having regard to the Treaty establishing the European Community,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data , and in particular Article 25(6) thereof,
After consulting the Working Party on Protection of Individuals with regard to the processing of personal data ,
(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.
(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.
(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations, and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25(2) thereof.
(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community's present international commitments.
(5) The Bailiwick of Jersey is one of the dependencies of the British Crown (being neither part of the United Kingdom nor a colony) that enjoys full independence, except for international relations and defense which are the responsibility of the United Kingdom Government. The Bailiwick of Jersey is therefore to be considered as a third country within the meaning of Directive 95/46/EC.
(6) With effect from 1951 and 1987 respectively, the United Kingdom's ratification of the European Convention on Human Rights and the Council of Europe Convention on the Protection of Individuals with regard to automatic processing of personal data (Convention No 108) were extended to the Bailiwick of Jersey.
(7) As regards the Bailiwick of Jersey, the legal standards on the protection of personal data largely based on the standards set out in Directive 95/46/EC have been provided for in the Data Protection (Jersey) Law 1987, which entered into force on 11 November 1987 and two ancillary laws, the Data Protection (Amendment) (Jersey) Law 2005, and the Data Protection (Jersey) Law 2005 (Appointed Day) Act 2005.
(8) Secondary legislation has also been adopted under the authority of the Data Protection (Jersey) Law, in 2005, laying down specific rules concerning issues such as subject access, processing of sensitive data and notification to the data protection authority .
(9) The legal standards applicable in Jersey cover all the basic principles necessary for an adequate level of protection for natural persons. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the authority, the Data Protection Commissioner, who is invested with powers of investigation and intervention.
(10) Jersey should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC.
(11) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.
(12) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:
For the purposes of Article 25(2) of Directive 95/46/EC, the Bailiwick of Jersey is considered as providing an adequate level of protection for personal data transferred from the Community.
This Decision concerns the adequacy of protection provided in Jersey with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in Jersey in order to protect individuals with regard to the processing of their personal data in the following cases:
(a) where a competent Jersey authority has determined that the recipient is in breach of the applicable standards of protection; or
(b) where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Jersey authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in Jersey with notice and an opportunity to respond.
2. The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.
1. Member States shall inform the Commission without delay when measures are adopted on the basis of Article 3.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in Jersey fails to secure such compliance.
3. If the information collected under Article 3 and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in Jersey is not effectively fulfilling its role, the Commission shall inform the competent Jersey authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in Jersey is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way.
Member States shall take all the measures necessary to comply with the Decision within four months of the date of its notification.
This Decision is addressed to the Member States.
Done at Brussels, 8 May 2008.
For the Commission
 OJ L 281, 23.11.1995, p. 31. Directive as amended by Regulation (EC) No 1882/2003 (OJ L 284, 31.10.2003, p. 1).
 Opinion No 8/2007 on the level of protection of personal data in Jersey, adopted on 9 October 2007, available at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm
 These are the Data Protection (Corporate Finance Exemption) (Jersey) Regulations 2005, the Data Protection (Credit Reference Agency) (Jersey) Regulations 2005, the Data Protection (Fair Processing) (Jersey) Regulations 2005, the Data Protection (International Cooperation) (Jersey) Regulations 2005, the Data Protection (Notification) (Jersey) Regulations 2005, the Data Protection (Sensitive Personal Data) (Jersey) Regulations 2005, the Data Protection (Subject Access Exemptions) (Jersey) Regulations 2005, the Data Protection (Subject Access Miscellaneous) (Jersey) Regulations 2005, the Data Protection (Subject Access Modification — (Education) (Jersey) Regulations 2005, the Data Protection (Subject Access Modification — (Health) (Jersey) Regulations 2005, the Data Protection (Subject Access Modification — (Social Work) (Jersey) Regulations 2005, and the Data Protection (Transfer in Substantial Public Interest) (Jersey) Regulations 2005.