How to Transfer Personal Data Internationally: A Comparative Study of European Union Law and Iranian Legal System

Document Type : Original Article

Authors

1 Ph.D. Graduated in Private Law, Faculty of Law and Political Sciences, Ferdowsi University of Mashhad, Mashhad, Iran.

2 Associate Professor of Private Law Department, Faculty of Law and Political Sciences, Ferdowsi University of Mashhad, Mashhad, Iran.

Abstract

To fully protect personal data and data subjects, the European Union Data Protection Regulation (GDPR) addresses various aspects of such protection, one of which is the international transfer of personal data. From the point of view of the EU legislature, the rights of data subjects should not be undermined, even if their data is transferred to third countries or international organizations. Therefore, in several articles, it has set different requirements in this regard. In this research, a descriptive method has been used to analyze the tools required for the transfer of personal data in accordance with the EU law. These tools include Adequacy Decision, Standard Contractual Clauses, Binding Corporate Rules, Certification Mechanism, Codes of Conduct and specific situations of Article 49. Also, the existence of these requirements in the Iranian Legal System has been studied in a comparative way. The results show that in the Iranian law, due to the lack of specific legislation on personal data and, consequently, the articles authorizing the international transfer of personal data, only some of the requirements mentioned in the European regulation, especially the situations of Article 49, can be applied through the legal doctrine and principles of the Iranian law. Therefore, according to the Iranian law, the consent of the data subject, the contractual necessity, the existence of vital interests and the public interest, as well as the overriding legitimate interests of the controller can be considered as the reasons for the international transfer of personal data. However, the legislature's attention to the important issue of personal data protection in general and the international transfer of personal data in particular is essential.

Keywords

Main Subjects

References

  • Afrasyab, Mahboob. and Naser, Mehdi. (2020). Legal frameworks for maintaining the security of private data processing (A comparative study of Iranian and EU law). Islamic Law, 17(66), pp. 209-232. (In Persian)
  • Aghaei Togh, Muslim and Nasser, Mehdi. (2016). Challenges of Private Data Protection in the Field of IoT: A Comparative Study of Iranian and EU Law, Journal of Administrative Law, 7 (23), pp. 33-55. (In Persian)
  • Ahsani Forouz, Mohammad. (2013). Technology Transfer Law. Tehran, Dadgostar Publishing. (In Persian)
  • Amid Zanjani, Abbas Ali .(2012). General Rules of Contracts in the Book of Al-Baya Val-Motaajer. Tehran, Khorsandi Publishing. (In Arabic)
  • Aslani, Hamidreza. (2005). Information Technology Law. Tehran, Mizan. (In Persian)
  • Ayazi, Mohammad Ali .(2010). Criteria of Rulings and Methods of Its Exploration. Qom, Qom Seminary Islamic Propaganda Office. (In Persian)
  • Badini, Hassan, and Saeed Siahbidi Kermanshahi. (2020). Analysis of the concept and examples of conflict of interest in private law. The Judiciarys Law Journal, 85 (116), pp. 209-231 .‏(In Persian)
  • Bu-Pasha, S. (2017). Cross-border issues under EU data protection law with regards to personal data protection. Information and Communications Technology Law, 26(3), 213–228.
  • Colcelli, V. (2019). Joint Controller Agreement Under GDPR. Eu and Member States – Legal and Economic Issues, 3, 1030–1047.
  • Council of Europe. (1950). European Convention on Human Rights. In Vertical Judicial Dialogues in Asylum Cases. https://www.echr.coe.int/Documents/Convention_ENG.pdf
  • Eija, S. (2018). Applying General Data Protection Regulation In Small Organizations Simplified Framework and Templates for Managing a Privacy. School of Business and Culture.
  • EUR-Lex. (2012). Charter Of Fundamental Rights Of The European Union (2012/C 326/02). Official Journal of the European Union, 391–407. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN
  • EUR-Lex. (2016). Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation – GDPR). Official Journal of the European Union, 1–88. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
  • European Commission. (2018a). Binding Corporate Rules (BCR). https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/binding-corporate-rules-bcr_en
  • European Commission. (2018b). Standard Contractual Clauses (SCC). https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
  • European Commission. (2018c). What does data protection ‘by design’ and ‘by default’ mean? | European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-does-data-protection-design-and-default-mean_en
  • European Commission. (2018d). What is a data controller or a data processor? | European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en
  • European Commission. (2018e). What rules apply if my organisation transfers data outside the EU? | European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-rules-apply-if-my-organisation-transfers-data-outside-eu_en
  • European Commission. (2019). Adequacy decisions | European Commission. https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
  • European Data Protection Supervisor. (n.d.). Data Protection. Retrieved June 17, 2020, from https://edps.europa.eu/data-protection/data-protection_en
  • Fazel Lankarani, Mohammad Javad. (2017). Makaseb Muharama. Qom, Jurisprudential Center of the Imams (PBUH). (In Persian)
  • Ferrara, P., & Spoto, F. (2018). Static analysis for GDPR compliance. CEUR Workshop Proceedings, 2058, 1–10.
  • Goldozian, Iraj. (2018). General Criminal Law. Tehran, University of Tehran Press. (In Persian)
  • Hakim, Seyyed Mohsen. (1995). Al-Urwa Al-Wathqi, Qom, Dar al-Tafsir. (In Arabic)
  • Hashemi Shahroudi, Mahmoud.(2003). The culture of jurisprudence according to the religion of the Ahl al-Bayt Pbuh, Qom, Encyclopedia of Islamic jurisprudence on the religion of the Ahl al-Bayt (PBUH). (In Persian)
  • (2018). Codes of conduct. https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/codes-of-conduct/
  • Karroubi, Mohammad Taghi. (2005). The European Union and the discussion of the protection of personal data and privacy in electronic communications. Tehran, Baqa. (In Persian)
  • Makarem Shirazi, Nasser. (2006). Encyclopedia of Contemporary Jurisprudence. Qom, Imam Ali Ibn Abi Talib School (PBUH). (In Persian)
  • Mandegar, Mostafa. (2014). International Trade Agreements for Technology Transfer. Tehran, Shahr-e Danesh. (In Persian)
  • Modarressi, Mohammad Reza. Al-Bayaa. (2014). Qom, Dar al-Tafsir. (In Arabic)
  • Mohaqeq Damad, Seyed Mostafa. (2005). Rules of Jurisprudence (Civil Section Property Law and Responsibility). Tehran, Islamic Sciences Publishing Center. (In Persian)
  • Mohaqeq Karki, Ali Ibn Hussein. (1994). Jame Al-Maqassid Fi Sharh Al-Qawaed. Qom, Ahl al-Bayt Institute (PBUH). (In Arabic)
  • Montazeri, Hossein Ali (1988), the jurisprudential principles of the Islamic government (Derasat Fi Velayat Al- Faqih Va Fiqh Al-Dolat Al-Islami: Studies in the Juris Consult Leader and Jurisprudence of the Islamic Government), Qom, Keyhan Publishing. (In Persian)
  • Najafi, Mohammad Hassan. (2001). Jawahar al-Kalam. Qom, Institute of the Encyclopedia of Islamic Jurisprudence on the religion of the Ahl al-Bayt (PBUH). (In Arabic)
  • Nouri, Mohammad Ali and Nakhjavani, Reza. (2005). Data Protection Law. Tehran, ktabkhaneh ganj dansh. (In Persian)
  • Personal Data Protection and Safeguarding Draft Act in July 2018, Published on the website of the Ministry of Communications and Information Technology of Iran. (In Persian)
  • Practical Law. (n.d.). Certification mechanism. Retrieved March 11, 2020, from https://uk.practicallaw.thomsonreuters.com/w-014-8170?transitionType=Default&contextData=(sc.Default)&firstPage=true&bhcp=1
  • Purtova, N. (2015). The illusion of personal data as no one’s property. Law, Innovation and Technology, 7(1), 1–29.
  • Raisi, Leila, and Liyasi Flore Ghassemzadeh. (2020). The challenges of the Iranian legal system in violating the personal data and privacy in cyber space. The Judiciarys Law Journal. 84 (110), pp. 119-142. (In Persian)
  • Safi, Lotfallah. (2002). Fiqh al-Hajj. Qom, Hazrat Masoumeh Publishing (PBUH). (In Arabic)
  • Segovia Domingo, A. I., & Desmet Villar, N. (2018). Self-regulation in data protection. BBVA Research, October 2018, 1–4.
  • Singh, A. (2016). Protecting Personal Data as a Property Right. ILI Law Review, Winter Issue, 123–139.
  • Sullivan, C. (2019). EU GDPR or APEC CBPR? A comparative analysis of the approach of the EU and APEC to cross border data transfers and protection of personal data in the IoT era. Computer Law and Security Review, 35(4), 380–397.
  • Support and protection of personal data and information Draft Act in September 2021. (In Persian)
  • Tabatabai Yazdi, Mohammad Kazem. (2001). Al-Urwa Al-Wathqi, Qom, Islamic Publishing Institute. (In Arabic)
  • United Nations. (2015). Universal Declaration of Human Rights (pp. 1–62). https://www.un.org/en/udhrbook/pdf/udhr_booklet_en_web.pdf
  • Voigt, P., & von dem Bussche, A. (2017). The EU General Data Protection Regulation (GDPR). Springer International Publishing.
Journal of Comparative Law
Volume 6, Issue 1 - Serial Number 9
April 2022
Pages 207-230

Files

History

  • Receive Date: 27 February 2021
  • Revise Date: 11 May 2021
  • Accept Date: 17 September 2021

Share

How to cite

Statistics