Transfer of personal data to Greenland
Many companies with activities in Greenland are not aware that transferring personal data to Greenland is an international data transfer. Greenland is not covered by an adequacy decision, so an alternative transfer mechanism must be in place. That includes satisfying other requirements before your business is ready to carry out the transfer.
The Danish Data Protection Agency is the responsible supervisory authority in Greenland, but the rules governing data protection differ from those in Denmark. In Greenland, the legal framework is based on the Danish data protection rules that were in effect prior to the GDPR.
Although the rules share similarities, there are notable differences. For example, companies are generally required to report data processing activities in advance, and there is no specific framework for CCTV monitoring, unlike in Denmark. Despite the differences, the Danish Data Protection Agency has confirmed that most of its guidance on data processing in Denmark is equally applicable to Greenland.
In addition to complying with data protection rules as part of your processing activities, the data you transfer from the EU must maintain a level of protection that is essentially equivalent to that within the EU. To ensure that, you will need to conclude standard contractual clauses or other transfer mechanisms. The relevant transfer mechanism will depend on the transfer situation. Also, the mechanism cannot stand alone. The so-called ‘transfer impact assessment’ is also needed to prove that the data is guaranteed an appropriate level of protection following the transfer. We have previously elaborated on that requirement here.
IUNO’s opinion
Many find it confusing that data cannot flow freely and that the data protection rules are not identical across the Danish Realm. However, unlike Greenland, the Faroe Islands have an adequacy in place, which makes it significantly easier to handle cross-border data flows.
IUNO recommends that companies become familiar with the applicable data protection rules before commencing processing activities in a new country. Although the rules may appear similar at first glance, actual practice and administrative requirements may impact the risk in practice.
The Danish Data Protection Agency is the responsible supervisory authority in Greenland, but the rules governing data protection differ from those in Denmark. In Greenland, the legal framework is based on the Danish data protection rules that were in effect prior to the GDPR.
Although the rules share similarities, there are notable differences. For example, companies are generally required to report data processing activities in advance, and there is no specific framework for CCTV monitoring, unlike in Denmark. Despite the differences, the Danish Data Protection Agency has confirmed that most of its guidance on data processing in Denmark is equally applicable to Greenland.
In addition to complying with data protection rules as part of your processing activities, the data you transfer from the EU must maintain a level of protection that is essentially equivalent to that within the EU. To ensure that, you will need to conclude standard contractual clauses or other transfer mechanisms. The relevant transfer mechanism will depend on the transfer situation. Also, the mechanism cannot stand alone. The so-called ‘transfer impact assessment’ is also needed to prove that the data is guaranteed an appropriate level of protection following the transfer. We have previously elaborated on that requirement here.
IUNO’s opinion
Many find it confusing that data cannot flow freely and that the data protection rules are not identical across the Danish Realm. However, unlike Greenland, the Faroe Islands have an adequacy in place, which makes it significantly easier to handle cross-border data flows.
IUNO recommends that companies become familiar with the applicable data protection rules before commencing processing activities in a new country. Although the rules may appear similar at first glance, actual practice and administrative requirements may impact the risk in practice.
Similar
Danish DPA highlights employee monitoring in its New Year’s resolution
Sharing data to comply with labour clauses
Poor handling of access requests triggered criticism and police reports
New guidelines on prohibited AI practices
Managing transfer impact assessments in practice
Secret audio recordings of conversations led to serious criticism