The Principality of Kaharagia, having no physical territory, recognises that all personal data processed within its legal order is inherently stored in foreign jurisdictions. This Article establishes the standards and safeguards applicable to the storage and transfer of personal data across jurisdictions, in order to ensure that the level of protection afforded by this Code is not undermined.
A transfer of personal data to a foreign jurisdiction may take place where the supervisory authority has determined that the jurisdiction in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.
When assessing the adequacy of the level of protection, the supervisory authority shall take into account the following elements:
the rule of law, respect for human rights and fundamental freedoms, and the existence and effective functioning of an independent supervisory authority in the jurisdiction concerned;
the relevant legislation in force in the jurisdiction, both general and sectoral, including concerning public security, defence, national security, criminal law, and public authority access to personal data, as well as the implementation of such legislation and the availability of enforceable data subject rights;
the international commitments of the jurisdiction, in particular with regard to the protection of personal data, including commitments arising from legally binding conventions or instruments and from participation in multilateral or regional systems;
the existence of effective administrative and judicial remedies for data subjects whose personal data is being transferred.
The supervisory authority shall publish a list of jurisdictions in respect of which an adequacy determination has been made and shall keep such list under regular review. The supervisory authority may limit an adequacy determination to a specific sector or category of processing within a given jurisdiction.
In the absence of an adequacy determination pursuant to paragraph 2, a controller or processor may transfer personal data to a foreign jurisdiction only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. Appropriate safeguards may be provided by means of:
binding contractual clauses between the controller or processor and the recipient of the personal data in the foreign jurisdiction;
standard data protection clauses adopted or approved by the supervisory authority;
an approved code of conduct, together with binding and enforceable commitments of the recipient to apply the appropriate safeguards;
an approved certification mechanism, together with binding and enforceable commitments of the recipient to apply the appropriate safeguards.
In the absence of an adequacy determination pursuant to paragraph 2 or of appropriate safeguards pursuant to paragraph 5, a transfer or a set of transfers of personal data to a foreign jurisdiction may take place only on the basis of one of the following derogations:
the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfer due to the absence of an adequacy determination and appropriate safeguards;
the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject's request;
the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
the transfer is necessary for important reasons of public interest of the Principality;
the transfer is necessary for the establishment, exercise, or defence of legal claims;
the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
The State, including all its organs, departments, agencies, and instrumentalities, shall ensure that its own data storage arrangements comply with this Article. The State shall publish and maintain a current list of the foreign jurisdictions in which State data is held, including the categories of personal data stored in each jurisdiction and the safeguards applicable to each such arrangement.
A transfer pursuant to paragraph 6 shall not involve the entirety of a database or entire categories of personal data. Where a transfer is based on the derogation in paragraph 6(4), it shall be founded on a public interest recognised in the laws of the Principality.