bb) Furthermore, the transfer of personal data to third countries presupposes that
the data will be handled in the third country in acceptable conformity with human
rights and data protection standards (1), and requires an according ascertainment by
the German state to that end (2).
332
(1) A transfer of data to third countries requires that the data will be handled in the
third country in sufficient conformity with rule-of-law standards.
333
(a) In terms of the requirements for the handling of the data in light of data protection
standards it is, however, not necessary that the receiving country has enacted rules
for the processing of personal data that are comparable to the rules applicable under
the German legal order, or that the receiving country provide the same level of protection as the Basic Law. In fact, the Basic Law recognises the autonomy and diversity of
legal orders and generally respects them, also in the context of the exchange of data.
Parameters and assessments do not need to conform to those of the German legal
order or the German Basic Law.
334
However, the transfer of personal data to third countries is only permissible if the
handling of the transferred data in these countries does not undermine the human
rights protection of personal data. This is not to say that the third country’s legal order
must guarantee institutional and procedural precautions in line with the German approach; in particular, it is not necessary that there be the same formal and institutional
safeguards as required under data protection laws applicable to German authorities
(see above, C IV 6). In this sense, it is necessary that an appropriate and substantive
level of data protection be guaranteed with regard to the handling of the transferred
data by the receiving state (cf. similarly ECJ, Judgment of 6 October 2015 – C-362/14
–, Schrems/Digital Rights Ireland, NJW 2015, p. 3151 <3155>, para. 73; cf. also Art. 8
ECHR; on this ECtHR, [GC], Roman Zakharov v. Russia, no. 47143/06, Judgment of
4.12.2015, §§ 227 et seq.; Art. 17 sec. 1 sentence 1 of the International Covenant on
Civil and Political Rights (ICCPR) of 16 December 1966, BGBl. 1973 II p. 1534,
UNTS 999, p. 171; Art. 12 of the Universal Declaration of Human Rights (UDHR) of
10 December 1948, General Assembly Res. 217 A III, GAOR III, Doc. A/810, p. 71;
cf. in this respect The right to privacy in the digital age, UN General Assembly Resolution 68/167 of 18 December 2013, UN Doc. A/Res/68/167 (2014), no. 4). Insofar, it
needs to be considered in particular whether limitations resulting from the principle of
purpose limitation, the requirement to delete the recorded data as well as fundamental requirements regarding oversight and data security are at least observed in general terms. The relevant standards for this appraisal are the domestic laws and the international obligations of the receiving state as well as their actual day-to-day
application (cf. similarly ECJ, Judgment of 6 October 2015 – C-362/14 –, Schrems/
Digital Rights Ireland, NJW 2015, p. 3151 <3157>, para. 75).
335
(b) In view of the fear of potential human rights abuses through the use of the data in
the receiving state, it must be guaranteed in particular that the data will neither be
used for political persecution nor inhuman or degrading punishment or treatment (cf.
336
59/71