Article 49 GDPR: Difference between revisions
No edit summary |
m (→Commentary) |
||
(11 intermediate revisions by 8 users not shown) | |||
Line 2: | Line 2: | ||
![[Article 48 GDPR|←]] Article 49 - Derogations for specific situations [[Article 50 GDPR|→]] | ![[Article 48 GDPR|←]] Article 49 - Derogations for specific situations [[Article 50 GDPR|→]] | ||
|- | |- | ||
|style="padding: 20px; background-color:#003399;"|[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | | style="padding: 20px; background-color:#003399;" |[[File:Gdpricon.png|100px|center|link=Overview_of_GDPR]] | ||
|- | |- | ||
| | | | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 1: General provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 17: | Line 17: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 2: Principles</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 31: | Line 31: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 3: Rights of the data subject</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 50: | Line 50: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 4: Controller and processor</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 77: | Line 77: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible | <div class="toccolours mw-collapsible" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 5: Transfers of personal data</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 91: | Line 91: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 6: Supervisory authorities</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 107: | Line 107: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 7: Cooperation and consistency</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 131: | Line 131: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 8: Remedies, liability and penalties</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 146: | Line 146: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 9: Specific processing situations</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 160: | Line 160: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 10: Delegated and implementing acts</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 169: | Line 169: | ||
</div></div> | </div></div> | ||
<div class="toccolours mw-collapsible mw-collapsed | <div class="toccolours mw-collapsible mw-collapsed" style="border-width: 0px" overflow:auto;"> | ||
<div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | <div style="font-weight:bold;line-height:1.6;">Chapter 11: Final provisions</div> | ||
<div class="mw-collapsible-content"> | <div class="mw-collapsible-content"> | ||
Line 184: | Line 184: | ||
|} | |} | ||
== Legal Text == | ==Legal Text== | ||
<br /><center>'''Article 49 - Derogations for specific situations'''</center | <br /><center>'''Article 49 - Derogations for specific situations'''</center> | ||
<span id="1">1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:</span> | <span id="1">1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:</span> | ||
Line 215: | Line 215: | ||
<span id="6">6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.</span> | <span id="6">6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.</span> | ||
== Relevant Recitals== | ==Relevant Recitals== | ||
{{Recital/111 GDPR}} | |||
{{Recital/112 GDPR}} | |||
{{Recital/113 GDPR}} | |||
{{Recital/114 GDPR}} | |||
{{Recital/115 GDPR}} | |||
== Commentary == | ==Commentary== | ||
The derogations from Article 49 GDPR are a limited closed list of exceptions that can be applied for international transfers of data to third-countries when no other mechanism of Chapter V can be applied. As explained by the European Data Protection Board (EDPB), the mechanism in Chapter V acts as a layer structure with three different levels: first, an adequacy decision pursuant to [[Article 45 GDPR]] shall be used, when it exists; second, appropriate safeguards under [[Article 46 GDPR]], such as binding corporate rules or contractual clauses, shall be used; and third, lacking any of the options mentioned above, derogations from Article 49 GDPR may be used. Additionally, [[Article 44 GDPR]] must be also be complied with, meaning that any transfer based on a derogation shall, in any case, meet the conditions contained in the provisions of the GDPR: data protection principles are still applicable, and the transfer must be based on a legal basis. Thus, the level of protection that the GDPR offers to natural persons shall not be undermined, and an adequate level of protection shall still be ensured.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 3 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref><blockquote><u>EDPB Guidelines</u>: on this Article, please see [https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-22018-derogations-article-49-under-regulation_en Guidelines 2/2018 on the exceptions under Article 49 of Regulation 2016/679]</blockquote> | |||
'' | === (1) Derogations for Specific Situations === | ||
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following condition: (a) the data subject has explicitly consented; the transfer is necessary for (b) the conclusion or performance of a contract between the data subject and the controller; (c) the conclusion or performance of a contract concluded in the interest of a data subject; (d) important reasons of public interest; (e) exercise or defence of legal claims; (f) protection of the vital interests of the data subject or of other persons; and (g) public register in specific cases. These derogations should be interpreted restrictively;<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 49 GDPR, p. 846 (Oxford University Press 2020).</ref> any transfers based on them shall be occasional and non-repetitive. A necessity test should always be carried out.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 4 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
== Decisions == | ==== (a) Consent ==== | ||
According to Article 49(1)(a) GDPR, transfers to third countries can happen when “''the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards''”. Here, the general conditions for consent apply. However, Article 49(1)(a) GDPR is stricter. First, this consent shall be “specifically” informed. Before providing their consent, data subjects shall be given detailed information regarding the transfer in order to ensure adequate awareness about the particular risks involved in the specific transfer of their personal data to a country which does not ensure the same level of protection as the GDPR does. Second, it requires an explicit statement from the data subject, given the risk it entails. | |||
==== (b) Necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request ==== | |||
According to Article 49(1)(b) GDPR, transfers to third countries can take place when the “''transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request''”. The use of this derogation is limited by the two above-mentioned conditionings: a necessity test is needed, and the transfer may only be occasional, as Recital 111 GDPR indicates. | |||
Firstly, the transfer needs to be necessary for the performance of such contract. There shall be a substantial connection; general related activities to a contract or activities that may be carried out without such transfer are not included. Additionally, the pre-contractual steps shall be taken at the data subject’s request, meaning that they must be explicitly requested, and not merely offered to them.<ref>''Kuner'', in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 49 GDPR, p. 848 (Oxford University Press 2020).</ref> | |||
Secondly, the transfer shall be occasional. Therefore, transfers that occur regularly, such as transfers derived from a business relationship that generally requires such transfers to take place, are not included. Occasional transfers derived from a particular situation that arises in a business relationship may however be included. In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 9 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== (c) Necessary for the Conclusion or Performance of a Contract Concluded in the Interest of the Data Subject ==== | |||
According to Article 49(1)(c) GDPR, transfers to third countries can take place when the transfer is “''necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person''”. Similarly to the derogation from Article 49(1)(b) GDPR, this derogation may only be applied on an occasional basis, and carrying out a necessity test. There shall be a close and substantial link between the transfer and a contract concluded in the data subject’s interest. As in the previous paragraph, in accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers either.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 9 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== (d) Necessary for Important Reasons of Public Interest ==== | |||
Under Article 49(1)(d) GDPR, transfers to third countries can take place when the transfer is “''necessary for important reasons of public interest''”. Only public interests recognized in Union law or in the law of the Member State to which the controller is subject may be taken into account, in accordance with Article 49(4) GDPR. The provision that defines such public interest must not be abstract; the same activity linked to the transfer in both countries must be specifically addressed. Transfers will be allowed, for example, for important public interest recognised in international agreements or conventions signed by both countries. It is the public interest itself which makes the derogation applicable, not the nature of the organization. Therefore, private entities seeking such public interest may also rely on this derogation. The general limitations for derogations previously mentioned – ie. the transfer is occasional and a necessity test is carried out – must also be applied.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 10-11 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== (e) Necessary for the Establishment, Exercise or Defence of Legal Claims ==== | |||
According to Article 49(1)(e) GDPR, transfers to third countries can take place when the “''transfer is necessary for the establishment, exercise or defence of legal claims''”. This includes any kind of proceeding – e.g. criminal, administrative or arbitration proceedings– and pre-trial discovery procedures, as long as the processing is closely related to the activity, it is made occasionally, and does not refer to a mere possibility, but to a specific proceeding. The only condition regarding the nature of the procedure is that it must have its basis in law. There must be a substantial connection between the transfer and the specific exercise of a particular right, and only the data that is particularly necessary for such exercise shall be transferred.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 11-12 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== (f) Necessary to Protect Vital Interests of the Data Subject or Others, Where Physically or Legally Incapable of Giving Consent ==== | |||
According to Article 49(1)(f) GDPR, transfers to third countries can take place when the “''transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent''”. In this case, what is relevant is the incapacity of the data subject to provide consent. If the data subject is able to consent, even if the data transfer is necessary to protect their vital interest, this derogation shall not be applied, and the derogation from Article 49(1)(a) GDPR will be applicable instead. The incapacity may be physical, mental or legal. Therefore, a case of a medical emergency in which the data subject is unconscious is a good example. The data subject may also be mentally incapable of giving consent, or may not have legal capacity – e.g. because they are a minor. Such incapability needs to be proved, and the data subject must be facing an imminent risk of serious harm. This derogation may also apply in case of armed conflict, or rescue and retrieval operations.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 13 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== (g) Transfers Made from a Public Register ==== | |||
According to Article 49(1)(g), transfers to third countries can take place when the “''transfer is made from a public registry''”. Such register must be open to consultation by the public in general, or by anyone who can demonstrate a legitimate interest. Two conditions must be met: firstly, the conditions for consultation set by law must be fulfilled; and secondly, the principles of the GDPR must be applied, meaning that the controller needs to asses if the transfer is appropriate, taking the interests and rights of the data subject into consideration. Once again, the restriction in Article 49(3) GDPR is apposite here, and this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 14 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
==== Compelling Legitimate Interests of the Controller ==== | |||
According to the final paragraph in Article 49(1) GDPR, when none of the derogations described above (Article 49(1)(a-g) GDPR) is applicable, transfers to third countries can still take place due to “''compelling legitimate interests pursued by the controller''”. This derogation shall thus only be used in residual cases, when there is no other option available. The legitimate interest of the controller should, however, not be overridden by the interests and rights of the data subject. The transfer should be essential for the controller’s interests as well as non-repetitive and the controller should also be able to demonstrate all these elements. In such cases, suitable additional safeguards must be provided in order to reduce the transfer’s risk and impact. The controller must inform the data protection authority (DPA) about the transfer and all relevant aspects are duly recorded. Lastly, the controller should inform the data subject about the transfer and its risks.<ref>EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 15-16 (available [https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_2_2018_derogations_en.pdf here]).</ref> | |||
=== (5) Limitation of Transfers Based on Important Reasons of Public Interest === | |||
According to Article 49(5) GDPR, the European Union or Member States can provide in the law for limitations of transfers of specific categories of data to third countries, based on important reasons of public interest. This may only cover specific and limited cases, and must be expressly stated in the legal provision.<ref>''Kuner'', in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 49 GDPR, p. 854 f. (Oxford University Press 2020).</ref> | |||
=== (6) Limitation of Transfers Based on Important Reasons of Public Interest === | |||
The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30. | |||
---- | |||
==Decisions== | |||
→ You can find all related decisions in [[:Category:Article 49 GDPR]] | → You can find all related decisions in [[:Category:Article 49 GDPR]] | ||
== References == | ==References== | ||
<references /> | <references /> | ||
[[Category:GDPR Articles]] | [[Category:GDPR Articles]] |
Latest revision as of 08:54, 27 March 2023
Legal Text
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
- (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- (d) the transfer is necessary for important reasons of public interest;
- (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
- (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Relevant Recitals
Commentary
The derogations from Article 49 GDPR are a limited closed list of exceptions that can be applied for international transfers of data to third-countries when no other mechanism of Chapter V can be applied. As explained by the European Data Protection Board (EDPB), the mechanism in Chapter V acts as a layer structure with three different levels: first, an adequacy decision pursuant to Article 45 GDPR shall be used, when it exists; second, appropriate safeguards under Article 46 GDPR, such as binding corporate rules or contractual clauses, shall be used; and third, lacking any of the options mentioned above, derogations from Article 49 GDPR may be used. Additionally, Article 44 GDPR must be also be complied with, meaning that any transfer based on a derogation shall, in any case, meet the conditions contained in the provisions of the GDPR: data protection principles are still applicable, and the transfer must be based on a legal basis. Thus, the level of protection that the GDPR offers to natural persons shall not be undermined, and an adequate level of protection shall still be ensured.[1]
EDPB Guidelines: on this Article, please see Guidelines 2/2018 on the exceptions under Article 49 of Regulation 2016/679
(1) Derogations for Specific Situations
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following condition: (a) the data subject has explicitly consented; the transfer is necessary for (b) the conclusion or performance of a contract between the data subject and the controller; (c) the conclusion or performance of a contract concluded in the interest of a data subject; (d) important reasons of public interest; (e) exercise or defence of legal claims; (f) protection of the vital interests of the data subject or of other persons; and (g) public register in specific cases. These derogations should be interpreted restrictively;[2] any transfers based on them shall be occasional and non-repetitive. A necessity test should always be carried out.[3]
(a) Consent
According to Article 49(1)(a) GDPR, transfers to third countries can happen when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”. Here, the general conditions for consent apply. However, Article 49(1)(a) GDPR is stricter. First, this consent shall be “specifically” informed. Before providing their consent, data subjects shall be given detailed information regarding the transfer in order to ensure adequate awareness about the particular risks involved in the specific transfer of their personal data to a country which does not ensure the same level of protection as the GDPR does. Second, it requires an explicit statement from the data subject, given the risk it entails.
(b) Necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request
According to Article 49(1)(b) GDPR, transfers to third countries can take place when the “transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request”. The use of this derogation is limited by the two above-mentioned conditionings: a necessity test is needed, and the transfer may only be occasional, as Recital 111 GDPR indicates.
Firstly, the transfer needs to be necessary for the performance of such contract. There shall be a substantial connection; general related activities to a contract or activities that may be carried out without such transfer are not included. Additionally, the pre-contractual steps shall be taken at the data subject’s request, meaning that they must be explicitly requested, and not merely offered to them.[4]
Secondly, the transfer shall be occasional. Therefore, transfers that occur regularly, such as transfers derived from a business relationship that generally requires such transfers to take place, are not included. Occasional transfers derived from a particular situation that arises in a business relationship may however be included. In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.[5]
(c) Necessary for the Conclusion or Performance of a Contract Concluded in the Interest of the Data Subject
According to Article 49(1)(c) GDPR, transfers to third countries can take place when the transfer is “necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person”. Similarly to the derogation from Article 49(1)(b) GDPR, this derogation may only be applied on an occasional basis, and carrying out a necessity test. There shall be a close and substantial link between the transfer and a contract concluded in the data subject’s interest. As in the previous paragraph, in accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers either.[6]
(d) Necessary for Important Reasons of Public Interest
Under Article 49(1)(d) GDPR, transfers to third countries can take place when the transfer is “necessary for important reasons of public interest”. Only public interests recognized in Union law or in the law of the Member State to which the controller is subject may be taken into account, in accordance with Article 49(4) GDPR. The provision that defines such public interest must not be abstract; the same activity linked to the transfer in both countries must be specifically addressed. Transfers will be allowed, for example, for important public interest recognised in international agreements or conventions signed by both countries. It is the public interest itself which makes the derogation applicable, not the nature of the organization. Therefore, private entities seeking such public interest may also rely on this derogation. The general limitations for derogations previously mentioned – ie. the transfer is occasional and a necessity test is carried out – must also be applied.[7]
(e) Necessary for the Establishment, Exercise or Defence of Legal Claims
According to Article 49(1)(e) GDPR, transfers to third countries can take place when the “transfer is necessary for the establishment, exercise or defence of legal claims”. This includes any kind of proceeding – e.g. criminal, administrative or arbitration proceedings– and pre-trial discovery procedures, as long as the processing is closely related to the activity, it is made occasionally, and does not refer to a mere possibility, but to a specific proceeding. The only condition regarding the nature of the procedure is that it must have its basis in law. There must be a substantial connection between the transfer and the specific exercise of a particular right, and only the data that is particularly necessary for such exercise shall be transferred.[8]
(f) Necessary to Protect Vital Interests of the Data Subject or Others, Where Physically or Legally Incapable of Giving Consent
According to Article 49(1)(f) GDPR, transfers to third countries can take place when the “transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent”. In this case, what is relevant is the incapacity of the data subject to provide consent. If the data subject is able to consent, even if the data transfer is necessary to protect their vital interest, this derogation shall not be applied, and the derogation from Article 49(1)(a) GDPR will be applicable instead. The incapacity may be physical, mental or legal. Therefore, a case of a medical emergency in which the data subject is unconscious is a good example. The data subject may also be mentally incapable of giving consent, or may not have legal capacity – e.g. because they are a minor. Such incapability needs to be proved, and the data subject must be facing an imminent risk of serious harm. This derogation may also apply in case of armed conflict, or rescue and retrieval operations.[9]
(g) Transfers Made from a Public Register
According to Article 49(1)(g), transfers to third countries can take place when the “transfer is made from a public registry”. Such register must be open to consultation by the public in general, or by anyone who can demonstrate a legitimate interest. Two conditions must be met: firstly, the conditions for consultation set by law must be fulfilled; and secondly, the principles of the GDPR must be applied, meaning that the controller needs to asses if the transfer is appropriate, taking the interests and rights of the data subject into consideration. Once again, the restriction in Article 49(3) GDPR is apposite here, and this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.[10]
Compelling Legitimate Interests of the Controller
According to the final paragraph in Article 49(1) GDPR, when none of the derogations described above (Article 49(1)(a-g) GDPR) is applicable, transfers to third countries can still take place due to “compelling legitimate interests pursued by the controller”. This derogation shall thus only be used in residual cases, when there is no other option available. The legitimate interest of the controller should, however, not be overridden by the interests and rights of the data subject. The transfer should be essential for the controller’s interests as well as non-repetitive and the controller should also be able to demonstrate all these elements. In such cases, suitable additional safeguards must be provided in order to reduce the transfer’s risk and impact. The controller must inform the data protection authority (DPA) about the transfer and all relevant aspects are duly recorded. Lastly, the controller should inform the data subject about the transfer and its risks.[11]
(5) Limitation of Transfers Based on Important Reasons of Public Interest
According to Article 49(5) GDPR, the European Union or Member States can provide in the law for limitations of transfers of specific categories of data to third countries, based on important reasons of public interest. This may only cover specific and limited cases, and must be expressly stated in the legal provision.[12]
(6) Limitation of Transfers Based on Important Reasons of Public Interest
The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Decisions
→ You can find all related decisions in Category:Article 49 GDPR
References
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 3 (available here).
- ↑ Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 49 GDPR, p. 846 (Oxford University Press 2020).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 4 (available here).
- ↑ Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 49 GDPR, p. 848 (Oxford University Press 2020).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 9 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 9 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 10-11 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 11-12 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 13 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, p. 14 (available here).
- ↑ EDPB, ‘Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679’, 25 May 2018, pp. 15-16 (available here).
- ↑ Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 49 GDPR, p. 854 f. (Oxford University Press 2020).