PORTUGAL Law and Practice Contributed by: Ricardo Henriques and Diogo Pereira Duarte, Abreu Advogados
tractual provisions (Article 30) and assessing whether conditions for supervisory oversight, such as those related to subcontracting, are satisfied (Article 28(4)(b)). When the service provider is based in a third country (ie, outside the European Union) and is classified as critical, the institution must also ensure compliance with EU data protection rules and verify the effective enforcement of such laws in that country (Article 29(2)). In this regard, international data transfers between financial institutions and ICT service providers will likely involve the processing of both personal and non-personal data. On the one hand, financial institutions must ensure that the international transfer of per - sonal data directed to data importers (eg, ICT service providers) located in a third country pro - vides appropriate safeguards to data subjects (ie, banking clients), as outlined in Chapter V of the GDPR. In particular, financial institutions may transfer personal data to a third country covered by an adequacy decision, which ensures that such a country or region provides an adequate level of protection for data subjects. Currently, the Com - mission has issued several adequacy decisions, including for Canada, Israel and Japan. If the third country is not subject to an adequacy decision by the Commission, financial institu - tions, as data controllers and data exporters, must implement appropriate safeguards, which may take the form of: • binding corporate rules; • standard data protection clauses adopted by the Commission;
• standard data protection clauses adopted by a supervisory authority with the approval of the Commission; • an approved code of conduct, complemented by binding commitments of the controller or processor in the third country; or • an approved certification mechanism, com - plemented by binding commitments of the controller or processor in the third country. The GDPR provides additional exceptions that may legitimise international data transfer in the absence of an adequacy decision or the imple - mentation of appropriate safeguards. In the con - text of financial institutions as data controllers, the explicit and informed consent of data sub - jects may be an appropriate legal basis for the transfer. Other exceptions may be relevant for this purpose, such as the exercise or defence of legal claims (Article 49 GDPR). Non-personal data, on the other hand, is not covered by the GDPR and is therefore not sub - ject to any specific restrictions on international data transfers. Nevertheless, Article 32 of the Data Act (Regulation (EU) 2023/2854) provides that customers of cloud service providers who store their non-personal data in the EU are enti - tled to protection against international and third- country governmental access and transfer of data. Providers of data processing services must therefore take appropriate measures to prevent such unlawful access and transfer. Ultimately, financial institutions are required to ensure that the contractual provisions estab - lished with third-party ICT service providers located in a third country meet both the require - ments of DORA and the appropriate safeguards described in the GDPR.
208 CHAMBERS.COM
Powered by FlippingBook