
COMMISSION DECISION of 5 March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data (notified under document C(2010) 1130) (Text with EEA relevance) (2010/146/EU) 

THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and in particular Article 25(6) thereof,
After consulting the Working Party on Protection of Individuals with regard to the processing of personal data,
Whereas:

(1) Pursuant to Directive 95/46/EC, Member States are required to provide that the transfer of personal data to a third country may take place only if the third country in question ensures an adequate level of protection and if the Member States' laws implementing other provisions of the Directive are complied with prior to the transfer.

(2) The Commission may find that a third country ensures an adequate level of protection. In that case, personal data may be transferred from the Member States without additional guarantees being necessary.

(3) Pursuant to Directive 95/46/EC the level of data protection should be assessed in the light of all the circumstances surrounding a data transfer operation or a set of data transfer operations and giving particular consideration to a number of elements relevant for the transfer and listed in Article 25(2) thereof.

(4) Given the different approaches to data protection in third countries, the adequacy assessment should be carried out, and any decision based on Article 25(6) of Directive 95/46/EC should be made and enforced in a way that does not arbitrarily or unjustifiably discriminate against or between third countries where like conditions prevail, nor constitute a disguised barrier to trade, regard being had to the Community’s present international commitments.

(5) The Faeroe Islands are a self-governing community within the Kingdom of Denmark. When Denmark joined the European Community in 1973, the Faeroe Islands did not. They are therefore to be considered as a third country within the meaning of Directive 95/46/EC.

(6) The Home Rule Act of the Faeroe Islands divides all policy areas into two main groups, whereby Special Faeroese Affairs are the responsibility of the Faeroese Government’s administration and legislation and Joint Concerns are the responsibility of the Kingdom of Denmark. This Decision only covers transfer of personal data from the Community to recipients in the Faeroe Islands who are subject to the Act on Processing of Personal Data (‘the Faeroese Act’). The Faeroese Act does not apply to the processing of personal data in the course of an activity carried out by authorities of the Kingdom of Denmark, namely, the High Commissioner of the Faeroe Islands (Rigsombudsmanden), the Court of the Faeroe Islands (Sorenskriveren), the Commissioner of the Faeroe Islands (Politimesteren på Færøerne), the Prison and Probation Service of the Faeroe Islands (Kriminalforsorgens afdeling), the Island Command Faeroes (Færøernes Kommando) and the Chief Medical Officer of the Faeroe Islands (Landslægen).

(7) The Faeroese Act is based on the standards set out in Directive 95/46/EC and accordingly it covers all the basic principles necessary for an adequate level of protection of the right of natural persons to privacy with respect to the processing of personal data. The application of these standards is guaranteed by judicial remedy and by independent supervision carried out by the supervisory authority, the Data Protection Commissioner, who is invested with powers of investigation and intervention.

(8) In the interest of transparency and in order to safeguard the ability of the competent authorities in the Member States to ensure the protection of individuals as regards the processing of their personal data, it is necessary to specify the exceptional circumstances in which the suspension of specific data flows may be justified, notwithstanding the finding of adequate protection.

(9) The measures provided for in this Decision are in accordance with the opinion of the Committee established under Article 31(1) of Directive 95/46/EC,
HAS ADOPTED THIS DECISION:

Article 1 
For the purposes of Article 25(2) of Directive 95/46/EC, the Faeroe Islands are considered as providing an adequate level of protection for personal data transferred from the European Union to recipients subject to the Act on Processing of Personal Data (‘the Faeroese Act’).
Article 2 
This Decision concerns only the adequacy of protection provided in the Faeroe Islands by the Faeroese Act with a view to meeting the requirements of Article 25(1) of Directive 95/46/EC and does not affect other conditions or restrictions implementing other provisions of that Directive that pertain to the processing of personal data within the Member States.
Article 3 
Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive 95/46/EC leading to the suspension or definitive ban of data flows to a recipient in the Faeroe Islands whose activities fall under the scope of the Faroese Act on Processing of Personal Data in order to protect individuals with regard to the processing of their personal data, the Member State concerned shall, without delay, inform the Commission which will forward the information to the other Member States.
Article 4 

1. The Commission shall, on an ongoing basis, monitor developments in the Faeroese legal order that could affect the functioning of this Decision, including developments concerning access to personal data by public authorities, with a view to assessing whether the Faeroe Islands continue to ensure an adequate level of protection of personal data.
2. The Member States and the Commission shall inform each other of cases where the action of bodies responsible for ensuring compliance with the standard of protection in the Faeroe Islands fails to secure such compliance.
3. The Member States and the Commission shall inform each other of any indications that interferences by Faeroese public authorities responsible for national security, law enforcement or other public interests with the right of individuals to the protection of their personal data go beyond what is strictly necessary, or that there is no effective legal protection against such interferences.
4. Where evidence shows that an adequate level of protection is no longer ensured, including in situations referred to paragraphs 2 and 3 of this Article, the Commission shall inform the competent Faeroese authority and, if necessary, propose draft measures in accordance with the procedure referred to in Article 31(2) of Directive 95/46/EC with a view to repealing or suspending this Decision or limiting its scope.
Article 5 
The Commission shall monitor the functioning of this Decision and report any pertinent findings to the Committee established under Article 31 of Directive 95/46/EC, including any evidence that could affect the finding in Article 1 of this Decision, that protection in the Faeroe Islands is adequate within the meaning of Article 25 of Directive 95/46/EC and any evidence that this Decision is being implemented in a discriminatory way.
Article 6 
Member States shall take s from the date of its notification to the Member States at the latest.
Article 7 
This Decision shall apply from 15 June 2010.
Article 8 
This Decision is addressed to the Member States.