Article 46 GDPR: Difference between revisions

From GDPRhub
 
(8 intermediate revisions by 4 users not shown)
Line 185: Line 185:


== Legal Text ==
== Legal Text ==
<br /><center>'''Article 46 - Transfers subject to appropriate safeguards'''</center><br />
<br /><center>'''Article 46 - Transfers subject to appropriate safeguards'''</center>


<span id="1">1.  In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.</span>
<span id="1">1.  In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.</span>
Line 218: Line 218:


== Commentary ==
== Commentary ==
Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the hypotheses regulated by Article 46 are very important since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. In the absence of such instruments, therefore, data transfer would be precluded to a large part of the planet.  
Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always '''on condition that enforceable data subject rights and effective legal remedies for data subjects are available''<nowiki/>'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the instruments regulated by Article 46 are very important, since the vast majority of third countries or international organisations do not have their own adequacy decision under [[Article 45 GDPR]]. Therefore, in the absence of such instruments, data transfer would be precluded to a large part of the planet.


=== (1) Scope ===
=== (1) Scope ===
Article 46(1) allows the transfer of personal data to a third country or an international organisation by means of appropriate safeguards and in the absence of an adequacy decision. The provision seems to limit its scope to cases where there is no adequacy decision. However, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and are therefore additional to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of the data subject.<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (Beck 2019, 1st ed.)(accessed 3 March 2022).</ref>  
Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision, by means of appropriate safeguards. Although the provision seems to limit its scope to cases where there is no adequacy decision, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and can therefore be additional elements to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid, or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of data subject rights.<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (C.H. Beck 2019).</ref>  


==== Appropriate Safeguards ====
==== Appropriate Safeguards ====
According to Recital 108 appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.
According to Recital 108, appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses (also known as standard contractual clauses or SCCs) adopted by the European Commission (Commission), standard data protection clauses adopted by a data protection authority (DPA) or contractual clauses authorised by a DPA. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union.This includes the availability of enforceable data subject rights and of effective legal remedies, the possibility to obtain effective administrative or judicial redress, as well as to claim compensation, in the Union or in a third country.  


==== Enforceable Data Subject Rights ====
==== Enforceable Data Subject Rights ====
Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes in particular. the right of access (Article 15), rectification (Article 16), deletion (Article 17), restriction of processing (Article 18), objection (Article 21) and the right to claim ''damages'' in the EU or in the third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce it, it must also have effective remedies at its disposal. Since there are no legal provisions to which the data subject can refer if he or she wishes to enforce his or her rights, a different legal basis is required. This can only be based on a voluntary commitment of the data processing body in the third country. This voluntary commitment can be expressed in a construction such as a contract for the benefit of third parties.
Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes, in particular, the right of access ([[Article 15 GDPR]]), rectification ([[Article 16 GDPR]]), deletion ([[Article 17 GDPR]]), restriction of processing ([[Article 18 GDPR]]), objection ([[Article 21 GDPR]]) and the right to ''claim damages''in the EU or in a third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce them, the data subject must also have effective remedies at their disposal. The absence of an adequacy decision entails that there are no legal provisions on which the data subject can rely on if they wish to enforce their rights. Therefore, a different legal avenue is required. This can only be based on a voluntary commitment of the data processing body in the third country, which can be expressed in a construction such as a civil law contract for the benefit of third parties, which in this case would be the data subjects.


==== Effective Legal Remedies ====
==== Effective Legal Remedies ====
A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (Beck 2019, 1st ed.)(accessed 3 March 2022).</ref>
A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "''empty promise''".<ref>''Schantz'', in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (C.H. Beck 2019).</ref>  


==== Article 46 and Schrems II ====
==== All the Above post Schrems II ====
In Schrems II, the CJEU found that the notions of appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted in light of Article 44 GDPR, which states that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. Thus, the Court continued, ‘that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out’.
In [[CJEU - C-311/18 - Schrems II|Schrems II]], the CJEU held that the notions of appropriate safeguards, enforceable rights, and effective legal remedies under Article 46 GDPR must be interpreted in light of [[Article 44 GDPR]], which states that “''all provisions'' [in Chapter V, including Article 46 GDPR and its SCCs] ''shall be applied in order to ensure that the level of protection of natural persons guaranteed by'' [the GDPR] ''is not undermined''”. The Court continued: “''that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out''”. In particular, in the absence of an adequacy decision, and with specific regard to the SCCs, the data exporter should determine whether the laws of the data importer’s country provide an “''essentially equivalent''” protection of personal data to that guaranteed under EU law. Should that not be the case, “''supplementary measures''” must be implemented and, if such measures would still not provide an “''essentially equivalent''” protection, the data transfer must then be suspended.


The Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs.<ref>For further details on the decision, please refer to the summary provided under Article 45 GDPR.</ref> According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide ''essentially equivalent'' protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide ''essentially equivalent'' protection with respect to the data importer’s country, the data transfer must be suspended.  
The EDPB has provided specific guidance on the matter. In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions.<ref>This applies in particular with regard to the potential access to data by the third country’s authorities, because contractual guarantees, such as the standard data protection clauses agreed between the data exporter and the data importer, naturally have no binding effect vis-à-vis authorities.</ref> As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not cover the entire legal system of the third country, but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines relevant to the specific processing activity. Once the relevant laws have been identified, the third-country law’s compliance with the essential elements of clarity and predictability should then be verified. Finally, an assessment should be made as to whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety. The mere absence of either of such requirements should lead to the blocking of transfers to the third country unless “''additional safeguards''” are available to protect the transferred personal data. The EDPB, in its Recommendations 1/2020 paper, mentions mostly ''encryption'' and ''pseudonymisation.'' However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.<ref>EDPB, ‘Guidelines 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 18 June 2021 (Version 2.0), pp. 29-30 (available [https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en here]).</ref>


In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions. This applies in particular with regard to the aspect of possible data access by authorities in the third country. This is because contractual guarantees such as the standard data protection clauses agreed between the data exporter and the data importer naturally have no binding effect vis-à-vis authorities.
The CJEU has hereby imposed a considerable burden on data exporters who wish to transfer personal data to any third country. They must actively deal with the legal situation in the third country on an ongoing basis. From this point of view, the Schrems II ruling may indicate a certain trend towards the establishment of EU-based servers and storage space.
 
As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not study the entire legal system of the third country but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines where relevant to the specific processing. Once the relevant laws have been identified, it should be verified whether the law of the third country complies with the essential elements of clarity and predictability. Finally, it should be verified whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety.
 
The mere existence of such provisions should lead to the blocking of transfers to the third country. At this point, however, the EDPB introduces a new element - not actually required by Schrems II - which consists in the likelihood that the interception (theoretically) envisaged by the law will also happen in practice, or at least that it is likely to happen. In this sense, the Board refers to the 'practical experience' of the data importer. In this respect, any past experience where the importer has received requests for disclosure from local authorities, or where it is known that a certain type of transaction is subject to interception, is relevant. In addition, it is clear from the Schrems II judgment that the data exporter must also check whether legal remedies are available for data subjects. For example, in the specific case, following the bulk surveillance under the so-called Section 702 FISA and Executive Order 12.333, non-US persons were not entitled to judicial legal protection options vis-à-vis the US authorities. More over, the so-called ombudsperson mechanism, which was provided for in the EU-U.S. Privacy Shield, was also not considered by the ECJ to be a sufficient legal protection mechanism.
 
The Court held that the standard of essential equivalence with EU law which it had found to apply to adequacy decisions in its first Schrems judgment also applies to data transfers under appropriate guarantees. It confirmed that the standards for determining the level of protection must be based on EU law, particularly the Charter.Within these parameters, the Court upheld the use per se of SCCs as a data transfer mechanism. However, it also found that since SCCs do not bind public authorities (such as law enforcement or security authorities) in third countries, they cannot restrain such authorities from accessing data transferred under them.
 
Therefore, the Court held, the contracting parties should make use of ‘additional safeguards’ to protect the data in addition to those provided under the SCCs, though it did not provide details as to what such additional safeguards should be. The EDPB, in its Recommendations 1/2020 paper, the EDPB sees only ''encryption'' and ''pseudonymisation'' as measures to be taken in the case of transfers of data that → Paragraph 2d) of a third country, it is capable of effectively preventing the effects of the 'problematic law', subject to certain requirements for encryption or pseudonymisation, which are described in more detail in the og Paper (see EDPB Recommendations 1/2020, paragraphs 84, 85). However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.
 
In conclusion, personal data may not be used solely on the basis of guarantee instruments according to Article 46 are transferred to the ''USA'', but at most if a level of protection comparable to that of the EU can be guaranteed with the help of ''addit''ional measures. The ECJ has hereby imposed a considerable burden on data exporters who wish to transfer personal data to a third country. They must actively deal with the legal situation in the third country on an ongoing basis From this point of view, the Schrems II ruling of the ECJ could initiate a ''trend towards the retrieval'' of data processing processes from third countries to the European Union combined with the conversion of business processes both for data protection controllers and for providers of processing services, such as servers and storage space.
 
Important Incidentally, this statement of the ECJ will also be used for the other guarantee instruments within the meaning of the Kind. 46 since all these instruments are of a contractual or quasi-contractual nature and therefore cannot bind third-country authorities.


=== (2) Appropriate Safeguards ===
=== (2) Appropriate Safeguards ===
Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use. Transfers based on such instruments do not require prior authorisation from the DPA. Thus, no approval is required for transfers based on (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules in accordance with Article 47; (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.
Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use to transfer data without a prior authorisation from the DPA. The list includes the following transfer instruments (or safeguards): (a) a legally binding and enforceable instruments between public authorities or bodies; (b) binding corporate rules in accordance with [[Article 47 GDPR]]; (c) standard data protection clauses adopted by the Commission; (d) standard data protection clauses adopted by a DPA and subsequently approved by the Commission; (e) an approved code of conduct; or (f) an approved certification mechanism.  


==== (a) Legally binding and enforceable instrument between public authorities or bodies ====
==== (a) Legally binding and enforceable instrument between public authorities or bodies ====
The reference to 'a legally binding and enforceable instrument between public authorities or bodies' allows data transfers based on enforceable legal instruments between public authorities or bodies in the EU and those in third countries. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, p. 806 (Oxford University Press 2020).</ref> The provision does not clarify what is meant by an instrument. Recital 108, however, makes it clear that it may be"''administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects''".
A “''legally binding and enforceable instrument between public authorities or bodies''” allows data transfers between such entities. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 806 (Oxford University Press 2020).</ref> The provision does not clarify what is meant by an instrument. Recital 108, however, reduces the uncertainty by mentioning “''administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects''”. <blockquote><u>EDPB Guidelines</u>: on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22020-articles-46-2-and-46-3-b-regulation_en Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies] </blockquote>


==== (b) Binding corporate rules in accordance with Article 47 ====
==== (b) Binding corporate rules in accordance with Article 47 ====
The Binding Corporate Rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. Please refer to the commentary on Article 47 GDPR.
Binding corporate rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. For more on this, please refer to the commentary on [[Article 47 GDPR]].  


==== (c) Standard data protection clauses adopted by the Commission under Article 93(2) ====
==== (c) Standard data protection clauses adopted by the Commission under Article 93(2) ====
The Standard Data Protection Clauses, already provided for by the previous regulation in Article 26(4) of Directive 95/46/EE, are, in fact, a set of predefined clauses prepared by the European Commission and adopted under Article 93(2) GDPR. A first set of SCCs was introduced with the decisions 2001/497/EC or Decision 2010/87/EU.<ref>Available [https://eur-lex.europa.eu/legal-content/en/LSU/?uri=CELEX%3A32010D0087 here] (accesses 3 March 2022).</ref> As already reported elsewhere, with the Schrems II decision, the EU Court of Justice emphasised that not only the adequacy decision (Article 45 GDPR) but also SCCs must ensure an essentially equivalent level of protection. Taking this into account, on 4 June 2021 the European Commission has adopted the implementing decision (EU) no. 2021/914 which established a new set of SCC. These clauses transpose the main aspects of the GDPR into contractual terms. Among other things, the contractual parties require to inform the data subject under Articles 13(1)(f) GDPR, allow the data subject to exercise its rights under the law of the Member States. The importing party must also provide an easy point of contact for the data subject to make any complaints or claims, possibly to a DPA or a court located in the European Union. Further, data subjects will be able to be represented in court by non-profit associations and to claim compensation for damages resulting from unlawful processing operations. Finally, there is an obligation to constantly check the legislation of the third country against the purposes of protecting personal data.
Standard data protection clauses (or SCCs), are a set of predefined clauses prepared by the European Commission and adopted under through a decision under [[Article 93 GDPR|Article 93(2) GDPR]]. A first set of such clauses were established by decisions 2001/497/EC and 2010/87/EU.<ref>Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (available [https://eur-lex.europa.eu/legal-content/en/LSU/?uri=CELEX%3A32010D0087 here]).</ref> As mentioned above, with the ''Schrems II'' decision, the CJEU emphasised that not only adequacy decisions ([[Article 45 GDPR]]), but also SCCs, must ensure an essentially equivalent level of protection and that it is incumbent on the controller to ensure that additional safeguards are given where the case so requires.  
 
Taking this into account, on 4 June 2021 the Commission adopted the Implementing Decision (EU) 2021/914, which established a new set of SCCs. These clauses transpose the main aspects of the GDPR as well as the ''Schrems II'' ruling into contractual terms. Among other things, by signing the SCCs, the contractual parties are required to, among the others, (i) fully inform the data subjects about the processing and the transfer, (ii) ensure the full exercise of their GDPR rights; (iii) provide an easy point of contact for the data subject to make any complaints or claims; (iv) continuously assess the importer’s national law and verify whether it provides an essentially equivalent level of protection and, should that not be the case, (v) adopt additional measures to solve the problem or otherwise interrupt the transfer. Moreover, (vi) data subjects should be able to be represented in court by non-profit associations, and to claim compensation for damages resulting from unlawful processing operations.
 
Recital 109 GDPR clarifies that there is no prohibition against "''adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects''". However, any amendment of the "''standard clauses means that they will be considered to be ad hoc clauses that require the authorisation of the competent DPA''" under Article 46(3)(a) GDPR.<span lang="EN-GB">Article
46(1) allows the transfer of personal data to a third country or an
international organisation in the absence of an adequacy decision and always '<nowiki/>''on condition that enforceable data subject
rights and effective legal remedies for data subjects are available''<nowiki/>'. This
provision, together with the others contained in Chapter V, thus contributes to
the transfer of personal data in a globalised economy while ensuring a level of
protection comparable to that provided by European law. From a practical point
of view, the instruments regulated by Article 46 are very important, since the
vast majority of third countries or international organisations do not have
their own adequacy decision under </span><ref>This is also the case with regard to the new SCCs issued by the Commission in draft form in November 2020 as per Commission Draft SCCs 2020, clause 1(c). See, ''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 177.</ref>


==== (d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission ====
==== (d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission ====
A further innovation of the GDPR is the possibility for standard data protection clauses to be adopted not only by the Commission but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under Article 64(1)(d) GDPR and, subsequently, the acceptance of the Commission under the procedure provided for in Article 93(2) GDPR.
A further innovation of the GDPR is the possibility for SCCs to be adopted not only by the Commission, but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under [[Article 64 GDPR|Article 64(1)(d) GDPR]] and, subsequently, the acceptance of the Commission under the procedure provided for in [[Article 93 GDPR|Article 93(2) GDPR]].  


==== (e) Approved code of conduct pursuant to Article 40 ====
==== (e) Approved code of conduct pursuant to Article 40 ====
Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations or associations representing certain groups of data processors and provide these bodies with guidelines for the application of provisions of the GDPR, for example with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, but also data transfers to third countries or to international organisations. For further information, please refer to the commentary on Article 40 GDPR.
Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations (which may represent certain groups of data processors) and provide these bodies with guidelines for the application of the GDPR, for example, with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, as well as data transfers to third countries or to international organisations. For further information, please refer to the commentary on [[Article 40 GDPR]]. <blockquote><u>EDPB Guidelines</u>: For this provision, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042021-codes-conduct-tools-transfers_en Guidelines 04/2021 on Codes of Conduct as tools for transfers] </blockquote>


==== (f) Approved certification mechanism pursuant to Article 42 ====
==== (f) Approved certification mechanism pursuant to Article 42 ====
The GDPR does not contain a definition of "''certifica�tion mechanism''" although Article 42 refers to "''data protection seals and marks''". An example of a certification mechanism would thus "''pre�sumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice''". Certification mechanisms are voluntary, but under Article 42(5) they may be approved either by a DPA or a national certification body as set out in Article 43. A certification mechanism must contain "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards", and must thus be legally binding. No additional DPA authorisation is required for the use of a certifica�tion mechanism once it has been approved.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, pp. 807-808 (Oxford University Press 2020).</ref>
The GDPR does not contain a definition of "''certification mechanism''" although [[Article 42 GDPR]] refers to "''data protection seals and marks''". An example of a certification mechanism would thus "''presumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice''". Certification mechanisms are voluntary, but under [[Article 42 GDPR|Article 42(5) GDPR]] they may be approved either by a DPA or a national certification body as set out in [[Article 43 GDPR]]. A certification mechanism must contain "''binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards''", and must thus be legally binding. No additional DPA authorisation is required for the use of a certification mechanism once it has been approved.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, pp. 807-808 (Oxford University Press 2020).</ref><blockquote><u>EDPB Guidelines</u>: on this provision, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072022-certification-tool-transfers_en Guidelines 07/2022 on certification as a tool for transfers]</blockquote>


=== (3) Other Safeguards which require an Authorization by the DPA ===
=== (3) Other Safeguards which require an Authorization by the DPA ===
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
In addition to the appropriate safeguards provided for in paragraph 2, paragraph 3 opens to further hypotheses. In this case, though, the use of such safeguards require the SA's prior authorisation. The provision mentions two examples,<ref>The use of the expression “''in particular''” means that the list is not exhaustive. Accordingly, other forms of appropriate safeguards are possible, provided they ensure an adequate level of protection and are authorised by the DPA.</ref> (a) contractual clauses between the controller or processor and the controller, processor or the recipient ("''Ad-hoc Contractual Clauses''") and (b) provisions to be inserted into administrative arrangements between public authorities ("''Administrative Arrangements''").


==== (a) Contractual clauses ====
==== (a) Ad-hoc Contractual Clauses ====
Article 46(3)(a) GDPR allows the creation of specific transfer agreements between exporter and importer. It is clear that the contract should clarify the essential aspects of the transfer and follow the SCC’s structure in terms of content and safeguards. For example, clauses defining the intended purpose, the categories of data to be transmitted or the measures to prevent unauthorized access. In contrast to the subsequent Article 46(3)(b), this provision does not provide that the clauses must include "''enforceable and effective data subject rights''". This is evidently a drafting error since it is precisely in such cases that there is a need to protect the interests of the data subject. Consequently, the ad-hoc clauses should also contain provisions on such safeguards.


==== (b) Administrative arrangements ====
==== (b) Administrative Arrangements ====
Article 46(3)(b) GDPR permits transfers based on "''provisions to be inserted into administrative arrangements between public authorities or bodies''". Unlike the agreements referred to in Article 46(2)(a) above, these agreements are not "''legally binding''" (Recital 108 speaks of "''memorandum of understandings''"), which is why they require prior authorisation by the DPA. Kuner correctly points out that it is unclear "''how 'enforceable and effective' rights for data subjects can be provided when the arrangements under which such rights are to be secured are themselves not legally binding''".<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 808 (Oxford University Press 2020).</ref><blockquote><u>EDPB Guidelines</u>: on this provision there are [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22020-articles-46-2-and-46-3-b-regulation_en Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies]</blockquote>


=== (4) Consistency Mechanism in case Paragraph 3 Applies ===
=== (4) Consistency Mechanism in case Paragraph 3 Applies ===
The appropriate safeguards under paragraph 3 must be submitted to the respective DPAfor examination and approval. The supervisory authorities must not only provide an express answer, but also needs to be proactive and assess the effectiveness of the proposed safeguards. The DPA shall also apply the consistency mechanism referred to in [[Article 63 GDPR]].


=== (5) Continuous Validity ===
=== (5) Continuous Validity ===
Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
Authorisations by a Member State or a DPAon the basis of Article 26(2) DPD shall remain valid until amended, replaced or repealed, if necessary, by that DPA. Similarly, decisions adopted by the Commission on the basis of Article 26(4) DPD shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of the aforementioned DPD provision.


== Decisions ==
== Decisions ==

Latest revision as of 08:53, 27 March 2023

Article 46 - Transfers subject to appropriate safeguards
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 46 - Transfers subject to appropriate safeguards

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Recital 108: Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

Recital 109: Standard Data-Protection Clauses
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

Commentary

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the instruments regulated by Article 46 are very important, since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. Therefore, in the absence of such instruments, data transfer would be precluded to a large part of the planet.

(1) Scope

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision, by means of appropriate safeguards. Although the provision seems to limit its scope to cases where there is no adequacy decision, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and can therefore be additional elements to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid, or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of data subject rights.[1]

Appropriate Safeguards

According to Recital 108, appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses (also known as standard contractual clauses or SCCs) adopted by the European Commission (Commission), standard data protection clauses adopted by a data protection authority (DPA) or contractual clauses authorised by a DPA. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union.This includes the availability of enforceable data subject rights and of effective legal remedies, the possibility to obtain effective administrative or judicial redress, as well as to claim compensation, in the Union or in a third country.

Enforceable Data Subject Rights

Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes, in particular, the right of access (Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and the right to ‘claim damages’ in the EU or in a third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce them, the data subject must also have effective remedies at their disposal. The absence of an adequacy decision entails that there are no legal provisions on which the data subject can rely on if they wish to enforce their rights. Therefore, a different legal avenue is required. This can only be based on a voluntary commitment of the data processing body in the third country, which can be expressed in a construction such as a civil law contract for the benefit of third parties, which in this case would be the data subjects.

Effective Legal Remedies

A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".[2]

All the Above post Schrems II

In Schrems II, the CJEU held that the notions of appropriate safeguards, enforceable rights, and effective legal remedies under Article 46 GDPR must be interpreted in light of Article 44 GDPR, which states that “all provisions [in Chapter V, including Article 46 GDPR and its SCCs] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. The Court continued: “that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out”. In particular, in the absence of an adequacy decision, and with specific regard to the SCCs, the data exporter should determine whether the laws of the data importer’s country provide an “essentially equivalent” protection of personal data to that guaranteed under EU law. Should that not be the case, “supplementary measures” must be implemented and, if such measures would still not provide an “essentially equivalent” protection, the data transfer must then be suspended.

The EDPB has provided specific guidance on the matter. In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions.[3] As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not cover the entire legal system of the third country, but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines relevant to the specific processing activity. Once the relevant laws have been identified, the third-country law’s compliance with the essential elements of clarity and predictability should then be verified. Finally, an assessment should be made as to whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety. The mere absence of either of such requirements should lead to the blocking of transfers to the third country unless “additional safeguards” are available to protect the transferred personal data. The EDPB, in its Recommendations 1/2020 paper, mentions mostly encryption and pseudonymisation. However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.[4]

The CJEU has hereby imposed a considerable burden on data exporters who wish to transfer personal data to any third country. They must actively deal with the legal situation in the third country on an ongoing basis. From this point of view, the Schrems II ruling may indicate a certain trend towards the establishment of EU-based servers and storage space.

(2) Appropriate Safeguards

Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use to transfer data without a prior authorisation from the DPA. The list includes the following transfer instruments (or safeguards): (a) a legally binding and enforceable instruments between public authorities or bodies; (b) binding corporate rules in accordance with Article 47 GDPR; (c) standard data protection clauses adopted by the Commission; (d) standard data protection clauses adopted by a DPA and subsequently approved by the Commission; (e) an approved code of conduct; or (f) an approved certification mechanism.

(a) Legally binding and enforceable instrument between public authorities or bodies

A “legally binding and enforceable instrument between public authorities or bodies” allows data transfers between such entities. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.[5] The provision does not clarify what is meant by an instrument. Recital 108, however, reduces the uncertainty by mentioning “administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects”.

EDPB Guidelines: on this provision there are Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

(b) Binding corporate rules in accordance with Article 47

Binding corporate rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. For more on this, please refer to the commentary on Article 47 GDPR.

(c) Standard data protection clauses adopted by the Commission under Article 93(2)

Standard data protection clauses (or SCCs), are a set of predefined clauses prepared by the European Commission and adopted under through a decision under Article 93(2) GDPR. A first set of such clauses were established by decisions 2001/497/EC and 2010/87/EU.[6] As mentioned above, with the Schrems II decision, the CJEU emphasised that not only adequacy decisions (Article 45 GDPR), but also SCCs, must ensure an essentially equivalent level of protection and that it is incumbent on the controller to ensure that additional safeguards are given where the case so requires.

Taking this into account, on 4 June 2021 the Commission adopted the Implementing Decision (EU) 2021/914, which established a new set of SCCs. These clauses transpose the main aspects of the GDPR as well as the Schrems II ruling into contractual terms. Among other things, by signing the SCCs, the contractual parties are required to, among the others, (i) fully inform the data subjects about the processing and the transfer, (ii) ensure the full exercise of their GDPR rights; (iii) provide an easy point of contact for the data subject to make any complaints or claims; (iv) continuously assess the importer’s national law and verify whether it provides an essentially equivalent level of protection and, should that not be the case, (v) adopt additional measures to solve the problem or otherwise interrupt the transfer. Moreover, (vi) data subjects should be able to be represented in court by non-profit associations, and to claim compensation for damages resulting from unlawful processing operations.

Recital 109 GDPR clarifies that there is no prohibition against "adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects". However, any amendment of the "standard clauses means that they will be considered to be ad hoc clauses that require the authorisation of the competent DPA" under Article 46(3)(a) GDPR.Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the instruments regulated by Article 46 are very important, since the vast majority of third countries or international organisations do not have their own adequacy decision under [7]

(d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission

A further innovation of the GDPR is the possibility for SCCs to be adopted not only by the Commission, but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under Article 64(1)(d) GDPR and, subsequently, the acceptance of the Commission under the procedure provided for in Article 93(2) GDPR.

(e) Approved code of conduct pursuant to Article 40

Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations (which may represent certain groups of data processors) and provide these bodies with guidelines for the application of the GDPR, for example, with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, as well as data transfers to third countries or to international organisations. For further information, please refer to the commentary on Article 40 GDPR.

EDPB Guidelines: For this provision, please see Guidelines 04/2021 on Codes of Conduct as tools for transfers

(f) Approved certification mechanism pursuant to Article 42

The GDPR does not contain a definition of "certification mechanism" although Article 42 GDPR refers to "data protection seals and marks". An example of a certification mechanism would thus "presumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice". Certification mechanisms are voluntary, but under Article 42(5) GDPR they may be approved either by a DPA or a national certification body as set out in Article 43 GDPR. A certification mechanism must contain "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards", and must thus be legally binding. No additional DPA authorisation is required for the use of a certification mechanism once it has been approved.[8]

EDPB Guidelines: on this provision, please see Guidelines 07/2022 on certification as a tool for transfers

(3) Other Safeguards which require an Authorization by the DPA

In addition to the appropriate safeguards provided for in paragraph 2, paragraph 3 opens to further hypotheses. In this case, though, the use of such safeguards require the SA's prior authorisation. The provision mentions two examples,[9] (a) contractual clauses between the controller or processor and the controller, processor or the recipient ("Ad-hoc Contractual Clauses") and (b) provisions to be inserted into administrative arrangements between public authorities ("Administrative Arrangements").

(a) Ad-hoc Contractual Clauses

Article 46(3)(a) GDPR allows the creation of specific transfer agreements between exporter and importer. It is clear that the contract should clarify the essential aspects of the transfer and follow the SCC’s structure in terms of content and safeguards. For example, clauses defining the intended purpose, the categories of data to be transmitted or the measures to prevent unauthorized access. In contrast to the subsequent Article 46(3)(b), this provision does not provide that the clauses must include "enforceable and effective data subject rights". This is evidently a drafting error since it is precisely in such cases that there is a need to protect the interests of the data subject. Consequently, the ad-hoc clauses should also contain provisions on such safeguards.

(b) Administrative Arrangements

Article 46(3)(b) GDPR permits transfers based on "provisions to be inserted into administrative arrangements between public authorities or bodies". Unlike the agreements referred to in Article 46(2)(a) above, these agreements are not "legally binding" (Recital 108 speaks of "memorandum of understandings"), which is why they require prior authorisation by the DPA. Kuner correctly points out that it is unclear "how 'enforceable and effective' rights for data subjects can be provided when the arrangements under which such rights are to be secured are themselves not legally binding".[10]

EDPB Guidelines: on this provision there are Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

(4) Consistency Mechanism in case Paragraph 3 Applies

The appropriate safeguards under paragraph 3 must be submitted to the respective DPAfor examination and approval. The supervisory authorities must not only provide an express answer, but also needs to be proactive and assess the effectiveness of the proposed safeguards. The DPA shall also apply the consistency mechanism referred to in Article 63 GDPR.

(5) Continuous Validity

Authorisations by a Member State or a DPAon the basis of Article 26(2) DPD shall remain valid until amended, replaced or repealed, if necessary, by that DPA. Similarly, decisions adopted by the Commission on the basis of Article 26(4) DPD shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of the aforementioned DPD provision.

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References

  1. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (C.H. Beck 2019).
  2. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (C.H. Beck 2019).
  3. This applies in particular with regard to the potential access to data by the third country’s authorities, because contractual guarantees, such as the standard data protection clauses agreed between the data exporter and the data importer, naturally have no binding effect vis-à-vis authorities.
  4. EDPB, ‘Guidelines 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 18 June 2021 (Version 2.0), pp. 29-30 (available here).
  5. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 806 (Oxford University Press 2020).
  6. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (available here).
  7. This is also the case with regard to the new SCCs issued by the Commission in draft form in November 2020 as per Commission Draft SCCs 2020, clause 1(c). See, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 177.
  8. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, pp. 807-808 (Oxford University Press 2020).
  9. The use of the expression “in particular” means that the list is not exhaustive. Accordingly, other forms of appropriate safeguards are possible, provided they ensure an adequate level of protection and are authorised by the DPA.
  10. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 808 (Oxford University Press 2020).