This document is an excerpt from the EUR-Lex website
Document 32011D0061
2011/61/EU: Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (notified under document C(2011) 332) Text with EEA relevance
2011/61/EU: Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (notified under document C(2011) 332) Text with EEA relevance
2011/61/EU: Commission Decision of 31 January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data (notified under document C(2011) 332) Text with EEA relevance
OJ L 27, 1.2.2011, p. 39–42
(BG, ES, CS, DA, DE, ET, EL, EN, FR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV) This document has been published in a special edition(s)
(HR)
In force: This act has been changed. Current consolidated version: 17/12/2016
1.2.2011 |
EN |
Official Journal of the European Union |
L 27/39 |
COMMISSION DECISION
of 31 January 2011
pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data
(notified under document C(2011) 332)
(Text with EEA relevance)
(2011/61/EU)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, (1) and in particular Article 25(6) thereof,
After consulting the European Data Protection Supervisor,
Whereas:
(1) |
Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States’ laws implementing other provisions of the Directive are complied with prior to the transfer. |
(2) |
The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary. |
(3) |
Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25 thereof. |
(4) |
Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the European Union’s present international commitments. |
(5) |
The State of Israel’s legal system has no written constitution but constitutional status has been conferred on certain ‘Basic Laws’ by the Supreme Court of the State of Israel. Those ‘Basic Laws’ are complemented by a large body of case law, as the Israeli legal system adheres to a great extent to common law principles. The right to privacy is included in the ‘Basic Law: Human Dignity and Liberty’ under section 7. |
(6) |
The legal standards for the protection of personal data in the State of Israel are largely based on the standards set out in Directive 95/46/EC and are laid down in the Privacy Protection Act 5741-1981, lastly amended in 2007 in order to establish new processing requirements for personal data and the detailed organization of the supervisory authority. |
(7) |
That data protection legislation is further complemented by governmental decisions on the implementation of the Privacy Protection Act 5741-1981 and on the organisation and functioning of the supervisory authority, largely based upon recommendations formulated in the Report to the Ministry of Justice by the Committee for the Examination of Legislation relating to Databases (Schoffman Report). |
(8) |
Data protection provisions are also contained in a number of legal instruments regulating different sectors, such as financial sector legislation, health regulations and public registries. |
(9) |
The legal data protection standards applicable in the State of Israel cover all the basic principles necessary for an adequate level of protection for natural persons in relation to the processing of personal data in automated databases. Chapter 2 of Privacy Protection Act 5741-1981, which lays down the principles for the processing of personal data, does not apply to the processing of personal data in non-automated databases (manual databases). |
(10) |
The application of the legal data protection standards is guaranteed by administrative and judicial remedies and by independent supervision carried out by the supervisory authority, the Israeli Law, Information and Technology Authority (ILITA), which is invested with powers of investigation and intervention, and which acts completely independently. |
(11) |
Israeli data protection authorities have provided explanations and assurances as to how the Israeli law is to be interpreted, and have given assurances that the Israeli data protection legislation is implemented in accordance with such interpretation. This Decision takes account of these explanations and assurances, and is therefore conditional upon them. |
(12) |
The State of Israel should therefore be regarded as providing an adequate level of protection for personal data as referred to in Directive 95/46/EC with regard to automated international transfers of personal data from the European Union to the State of Israel or, where those transfers are not automated, they are subject to further automated processing in the State of Israel. Conversely, international transfers of personal data from the EU to the State of Israel whereby the transfer itself as well as the subsequent data processing is carried out exclusively through non-automated means should not be covered by this Decision. |
(13) |
In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection. |
(14) |
The adequacy findings pertaining to this Decision refer to the State of Israel, as defined in accordance with international law. Further onward transfers to a recipient outside the State of Israel, as defined in accordance with international law, should be considered as transfers of personal data to a third country. |
(15) |
The Working Party on the protection of individuals with regard to the processing of personal data established under Article 29 of Directive 95/46/EC has delivered a favourable opinion on the level of adequacy as regards protection of personal data in relation to automated international transfers of personal data from the European Union or, whether they are non-automated they are subject to further automated processing in the State of Israel. In its favourable opinion, the Working Party has encouraged the Israeli authorities to adopt further provisions which extend the application of Israeli legislation to manual databases, which expressly recognise the application of the proportionality principle to personal data processing in the private sector and which interpret the exemptions in international data transfers as in accordance with the criteria set out in its ‘Working document on a common interpretation of Article 26(1) of Directive 95/46/EC’ (2). This opinion has been taken into account in the preparation of this Decision (3). |
(16) |
The Committee established under Article 31(1) of Directive 95/46/EC did not deliver an opinion within the time limit laid down by its Chairman, |
HAS ADOPTED THIS DECISION:
Article 1
1. For the purposes of Article 25(2) of Directive 95/46/EC, the State of Israel is considered as providing an adequate level of protection for personal data transferred from the European Union in relation to automated international transfers of personal data from the European Union or, where they are not automated, they are subject to further automated processing in the State of Israel.
2. The competent supervisory authority of the State of Israel for the application of the legal data protection standards in the State of Israel is the ‘Israeli Law, Information and Technology Authority (ILITA)’, referred to in the Annex to this Decision.
Article 2
1. This Decision concerns only the adequacy of protection provided in the State of Israel, as defined in accordance with international law, with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
2. This Decision shall be applied in accordance with international law. It is without prejudice to the status of the Golan Heights, the Gaza Strip and the West Bank, including East Jerusalem, under the terms of international law.
Article 3
1. Without prejudice to their powers to take action to ensure compliance with national provisions adopted pursuant to provisions other than Article 25 of Directive 95/46/EC, the competent authorities in Member States may exercise their existing powers to suspend data flows to a recipient in the State of Israel in order to protect individuals with regard to the processing of their personal data in the following cases:
(a) |
where a competent Israeli authority has determined that the recipient is in breach of the applicable standards of protection; or |
(b) |
where there is a substantial likelihood that the standards of protection are being infringed, there are reasonable grounds for believing that the competent Israeli authority is not taking or will not take adequate and timely steps to settle the case at issue, the continuing transfer would create an imminent risk of grave harm to data subjects and the competent authorities in the Member State have made reasonable efforts in the circumstances to provide the party responsible for processing established in the State of Israel with notice and an opportunity to respond. |
2. The suspension shall cease as soon as the standards of protection are assured and the competent authority of the Member States concerned is notified thereof.
Article 4
1. Member States shall inform the Commission without delay when measures are adopted on the basis of Article 3.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standards of protection in the State of Israel fails to secure such compliance.
3. If the information collected under Article 3 and under paragraphs 1 and 2 of this Article provides evidence that any body responsible for ensuring compliance with the standards of protection in the State of Israel is not effectively fulfilling its role, the Commission shall inform the competent Israeli authority and, if necessary, present draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
Article 5
The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in the State of Israel is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way. In particular, it shall monitor the processing of personal data in manual databases.
Article 6
Member States shall take all the measures necessary to comply with the Decision within three months of the date of its notification.
Article 7
This Decision is addressed to the Member States.
Done at Brussels, 31 January 2011.
For the Commission
Viviane REDING
Vice-President
(1) OJ L 281, 23.11.1995, p. 31.
(2) Document WP114 of 25 November 2005. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2005/wp114_en.pdf
(3) Opinion 6/2009/EC on the level of protection of personal data in Israel. Available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp165_en.pdf
ANNEX
Competent supervisory authority referred to in Article 1(2) of this Decision:
The Israeli Law, Information and Technology Authority |
The Government Campus |
9th floor |
125 Begin Rd |
Tel Aviv |
Israel |
Mailing address:
PO Box 7360 |
Tel Aviv, 61072 |
Tel. + 972-3-7634050 |
Fax + 972-2-6467064 |
E-mail: ILITA@justice.gov.il |
Website: http://www.justice.gov.il/MOJEng/RashutTech/default.htm |