Article 49 GDPR: Difference between revisions
No edit summary |
|||
Line 249: | Line 249: | ||
=== Overview === | === Overview === | ||
The derogations from Article 49 are a limited closed list of exceptions that can be applied for international transfers of data to third-countries when no other mechanism of Chapter V can be applied. As explained by the EDPB,<ref>EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, pp. 3-4; </ref> the mechanism in Chapter V act as a layer structure with three different levels: In the first place, an adequacy decision from Article 45 shall be used, when it exists. In the second place, appropriate safeguards from Article 46, such as binding corporate rules or contractual clauses, shall be used. Lastly, lacking any of the above mentioned options, derogations from Article 49 may be used. Additionally, Article 44 must be also be complied with, meaning that any transfer based on a derogation shall anyhow meet the conditions contained in the provisions of the GDPR: data protection principles are still applicable, and the transfer must be based on a legal basis.<ref>EDPB 2018, op. cit., p. 3</ref> According to the same Article, the level of protection that the GDPR offers to natural persons shall not be undermined and fundamental rights shall never be breached. An adequate level of protection shall be always ensured. <ref>Ibidem</ref> It is important to note that derogations shall be interpreted restrictively.<ref>Kuner, Bygrave, Docksey; ''The EU General Data Protection Regulation (GDPR): A Commentary'', Oxford University Press, Oxford, 2020, p. 846</ref> Following the logic that exceptions shall not become the rule, two main limitations apply in a general sense for the transfer based on any of the options for derogations: transfers shall be occasional and non-repetitive and a necessity test shall always be carried out.<ref>EDPB 2018, op. cit., pp. 4-5</ref> | The derogations from Article 49 GDPR are a limited closed list of exceptions that can be applied for international transfers of data to third-countries when no other mechanism of Chapter V can be applied. As explained by the EDPB,<ref>EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, pp. 3-4; </ref> the mechanism in Chapter V act as a layer structure with three different levels: In the first place, an adequacy decision from Article 45 shall be used, when it exists. In the second place, appropriate safeguards from Article 46 GDPR, such as binding corporate rules or contractual clauses, shall be used. Lastly, lacking any of the above mentioned options, derogations from Article 49 GDPR may be used. Additionally, Article 44 GDPR must be also be complied with, meaning that any transfer based on a derogation shall anyhow meet the conditions contained in the provisions of the GDPR: data protection principles are still applicable, and the transfer must be based on a legal basis.<ref>EDPB 2018, op. cit., p. 3</ref> According to the same Article, the level of protection that the GDPR offers to natural persons shall not be undermined and fundamental rights shall never be breached. An adequate level of protection shall be always ensured. <ref>Ibidem</ref> It is important to note that derogations shall be interpreted restrictively.<ref>Kuner, Bygrave, Docksey; ''The EU General Data Protection Regulation (GDPR): A Commentary'', Oxford University Press, Oxford, 2020, p. 846</ref> Following the logic that exceptions shall not become the rule, two main limitations apply in a general sense for the transfer based on any of the options for derogations: transfers shall be occasional and non-repetitive and a necessity test shall always be carried out.<ref>EDPB 2018, op. cit., pp. 4-5</ref> | ||
=== Consent === | === Consent === | ||
According to Article 49(1)(a), transfers to third countries can happen when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”. Here, the general conditions for consent from Article 7 apply.<ref>Idem, pp. 7-8</ref> However, differently from such Article, that only requires unambiguous consent, this derogation is stricter and requires an explicit consent from the data subject, given the risk involved. This requires an express statement of consent from the data subject.<ref>Article 29 Working Party, Guidelines on consent under Regulation 2016/679, adopted on 28 November 2017, p. 18</ref> | According to Article 49(1)(a) GDPR, transfers to third countries can happen when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”. Here, the general conditions for consent from [[Article 7 GDPR]] apply.<ref>Idem, pp. 7-8</ref> However, differently from such Article, that only requires unambiguous consent, this derogation is stricter and requires an explicit consent from the data subject, given the risk involved. This requires an express statement of consent from the data subject.<ref>Article 29 Working Party, Guidelines on consent under Regulation 2016/679, adopted on 28 November 2017, p. 18</ref> | ||
Consent shall also be specific and informed. Consent needs to be specifically given for the processing regarding the transfer, ensuring a level of transparency that allows the data subject to be aware of the particular existing risks. General consent for other processing related processing activities is not valid. This is related to the requirement of informed consent, as the data subject can only know about the risks involved if they are properly informed about the specific circumstances of the transfer and the risks it might pose. The data subject must therefore have full knowledge of the specific facts of the transfers, and the risks that a data transfer to a third country which does not ensure the same level of protection entails.<ref>Idem, pp. 7-8</ref> | Consent shall also be specific and informed. Consent needs to be specifically given for the processing regarding the transfer, ensuring a level of transparency that allows the data subject to be aware of the particular existing risks. General consent for other processing related processing activities is not valid. This is related to the requirement of informed consent, as the data subject can only know about the risks involved if they are properly informed about the specific circumstances of the transfer and the risks it might pose. The data subject must therefore have full knowledge of the specific facts of the transfers, and the risks that a data transfer to a third country which does not ensure the same level of protection entails.<ref>Idem, pp. 7-8</ref> | ||
The consent, in accordance to Article 7, shall be always withdraw-able.<ref>Article 29 Working Party 2017, p. 21</ref> | The consent, in accordance to [[Article 7 GDPR]], shall be always withdraw-able.<ref>Article 29 Working Party 2017, p. 21</ref> | ||
=== Necessary for the | === Necessary for the Performance of a Contract Between the Data Subject and the Controller or for the Implementation of Pre-contractual Measures === | ||
According to Article 49(1)(b), transfers to third countries can take place when the “transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request”. The use of this derogation is limited by the two above-mentioned conditionings: a necessity test is needed and the transfer may only be occasional, as Recital 111 indicates.<ref>EDPB 2018, op. cit., pp. 8-9</ref> | According to Article 49(1)(b) GDPR, transfers to third countries can take place when the “transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request”. The use of this derogation is limited by the two above-mentioned conditionings: a necessity test is needed and the transfer may only be occasional, as Recital 111 GDPR indicates.<ref>EDPB 2018, op. cit., pp. 8-9</ref> | ||
Firstly, the transfer needs to be necessary for the performance of such contract. There shall be a substantial connection; general related activities to a contract or activities that may be carried out without such transfer are not included. Additionally, the pre-contractual steps shall be taken at the data subject request; meaning that the data subject shall explicitly request them, but not just be offered to them.<ref>Kuner, Bygrave, Docksey 2020, p. 848</ref> | Firstly, the transfer needs to be necessary for the performance of such contract. There shall be a substantial connection; general related activities to a contract or activities that may be carried out without such transfer are not included. Additionally, the pre-contractual steps shall be taken at the data subject request; meaning that the data subject shall explicitly request them, but not just be offered to them.<ref>Kuner, Bygrave, Docksey 2020, p. 848</ref> | ||
Secondly, the transfer shall be occasional. Therefore, transfers that occur regularly, such as transfers derived from a business relationship that generally requires such transfers to happen, are not included. Occasional transfers derived from a particular situation that arises in a business relationship may however be included.<ref>EDPB 2018, op. cit., p. 9</ref> In accordance with Article 49(3), this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | Secondly, the transfer shall be occasional. Therefore, transfers that occur regularly, such as transfers derived from a business relationship that generally requires such transfers to happen, are not included. Occasional transfers derived from a particular situation that arises in a business relationship may however be included.<ref>EDPB 2018, op. cit., p. 9</ref> In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | ||
=== Necessary for the | === Necessary for the Conclusion or Performance of a Contract Concluded in the Interest of the Data Subject === | ||
According to Article 49(1)(c), transfers to third countries can take place when the transfer is “necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person”. Similarly to derogation from Article 49(1)(b), this derogation may only be applied in an occasional basis and carrying out a necessity test. There shall be a close and substantial link between the transfer and a contract concluded in the data subject’s interest.<ref>Idem, pp. 9-10</ref> In accordance with Article 49(3), this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | According to Article 49(1)(c) GDPR, transfers to third countries can take place when the transfer is “necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person”. Similarly to derogation from Article 49(1)(b) GDPR, this derogation may only be applied in an occasional basis and carrying out a necessity test. There shall be a close and substantial link between the transfer and a contract concluded in the data subject’s interest.<ref>Idem, pp. 9-10</ref> In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | ||
=== Necessary for | === Necessary for Important Reasons of Public Interest === | ||
According to Article 49(1)(d), transfers to third countries can take place when the transfer is “necessary for important reasons of public interest”. Only public interests recognized in Union law or in the law of the Member State to which the controller is subject may be taken into account, in accordance with Article 49(4). The provision that defines such public interest must not be abstract; it needs to particularly address the same activity linked to the transfer in both countries. They will be allowed, for example, for important public interest recognised in international agreements or conventions signed by both countries.<ref>Idem, p. 10</ref> It is the public interest what makes the derogation applicable, not the nature of the organization. Therefore, private entities seeking such public interest may also rely on this derogation. General limitations for derogations – the transfer is occasional and a necessity test is carried out – must also be applied. <ref>Idem, p. 11</ref> | According to Article 49(1)(d) GDPR, transfers to third countries can take place when the transfer is “necessary for important reasons of public interest”. Only public interests recognized in Union law or in the law of the Member State to which the controller is subject may be taken into account, in accordance with Article 49(4) GDPR. The provision that defines such public interest must not be abstract; it needs to particularly address the same activity linked to the transfer in both countries. They will be allowed, for example, for important public interest recognised in international agreements or conventions signed by both countries.<ref>Idem, p. 10</ref> It is the public interest what makes the derogation applicable, not the nature of the organization. Therefore, private entities seeking such public interest may also rely on this derogation. General limitations for derogations – the transfer is occasional and a necessity test is carried out – must also be applied.<ref>Idem, p. 11</ref> | ||
=== Necessary for the | === Necessary for the Establishment, Exercise or Defence of Legal Claims === | ||
According to Article 49(1)(e), transfers to third countries can take place when the “transfer is necessary for the establishment, exercise or defence of legal claims”. This includes any kind of proceeding – criminal, administrative or arbitration proceedings, for example – and pre-trial discovery procedures, as long as the processing is closely related to the activity, it is made occasionally and is not repetitive and refers not a mere possibility but to a particular proceeding. The only condition regarding the nature of the procedure is that it must have its basis in law. There must be a substantial connection between the transfer and the specific exercise of such right, and only the data that is particularly necessary for such exercise shall be transferred. <ref>Ibidem</ref> | According to Article 49(1)(e) GDPR, transfers to third countries can take place when the “transfer is necessary for the establishment, exercise or defence of legal claims”. This includes any kind of proceeding – criminal, administrative or arbitration proceedings, for example – and pre-trial discovery procedures, as long as the processing is closely related to the activity, it is made occasionally and is not repetitive and refers not a mere possibility but to a particular proceeding. The only condition regarding the nature of the procedure is that it must have its basis in law. There must be a substantial connection between the transfer and the specific exercise of such right, and only the data that is particularly necessary for such exercise shall be transferred. <ref>Ibidem</ref> | ||
=== Necessary | === Necessary to Protect Vital Interests of the Data Subject or Others, Where Physically or Legally Incapable of Giving Consent === | ||
According to Article 49(1)(f), transfers to third countries can take place when the “transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent”. In this case, what is relevant is the incapacity of the data subject to provide consent. If the data subject is able to consent, even if the data transfer is necessary to protect their vital interest, this derogation shall not be applied; but derogation from Article 49(1)(a). <ref>Idem, p. 12-13</ref> | According to Article 49(1)(f) GDPR, transfers to third countries can take place when the “transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent”. In this case, what is relevant is the incapacity of the data subject to provide consent. If the data subject is able to consent, even if the data transfer is necessary to protect their vital interest, this derogation shall not be applied; but derogation from Article 49(1)(a) GDPR. <ref>Idem, p. 12-13</ref> | ||
The incapacity may be physical, mental or legal. Therefore, a case of a medical emergency in which the data subject is unconscious is a good example. The data subject may also be mentally incapable of giving consent, or may not have legal capacity – e.g. because they are a minor.<ref>Ibidem</ref> Such incapability needs to be proved, and the data subject must be facing an imminent risk of serious harm. This derogation may also apply in case of armed conflict or rescue and retrieval operations.<ref>Ibidem</ref> | The incapacity may be physical, mental or legal. Therefore, a case of a medical emergency in which the data subject is unconscious is a good example. The data subject may also be mentally incapable of giving consent, or may not have legal capacity – e.g. because they are a minor.<ref>Ibidem</ref> Such incapability needs to be proved, and the data subject must be facing an imminent risk of serious harm. This derogation may also apply in case of armed conflict or rescue and retrieval operations.<ref>Ibidem</ref> | ||
=== Transfers | === Transfers Made from a Public Register === | ||
According to Article 49(1)(g), transfers to third countries can take place when the “transfer is made from a public registry”. Such register must be open to public consultation by the public in general or by anyone who can demonstrate a legitimate interest. Two conditions must be met: firstly, the conditions for consultation set by the law must be fulfilled, and secondly, the principles of the GDPR must be applied, meaning that the controller needs to asses if the transfer is appropriate, considering the interests and rights of the data subject. In accordance with Article 49(3), this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | According to Article 49(1)(g), transfers to third countries can take place when the “transfer is made from a public registry”. Such register must be open to public consultation by the public in general or by anyone who can demonstrate a legitimate interest. Two conditions must be met: firstly, the conditions for consultation set by the law must be fulfilled, and secondly, the principles of the GDPR must be applied, meaning that the controller needs to asses if the transfer is appropriate, considering the interests and rights of the data subject. In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers. | ||
=== Compelling | === Compelling Legitimate Interests of the Controller === | ||
According to Article 49(1)( | According to Article 49(1)(2) GDPR, transfers to third countries can take place when the transfer takes place due to a “compelling legitimate interests of the controller”. This derogation may only be applicable when no mechanisms from [[Article 45 GDPR|Articles 45, 46 GDPR]] and no other derogation can apply. It shall only be used in residual cases, when there is no other option available. The legitimate interest of the controller shall not be overridden by the interests and rights of the data subject. It must also be essential for the controller’s interests, non-repetitive, and the controller must be able to demonstrate the necessity for such transfer.<ref>Idem, pp. 15-16</ref> | ||
For this, a balancing test needs to be carried out. This shall include the balancing of the controller’s interest against the data subject interest and rights. Suitable additional safeguards must be provided to reduce the risk and the impact of the transfer. For evidence purposes, it is also recommendable that the controller informs the supervisory activity about such transfer and records all relevant aspects. The controller also need to inform the data subject about the transfer and related relevant information.<ref>Idem, pp. 16-17</ref> | For this, a balancing test needs to be carried out. This shall include the balancing of the controller’s interest against the data subject interest and rights. Suitable additional safeguards must be provided to reduce the risk and the impact of the transfer. For evidence purposes, it is also recommendable that the controller informs the supervisory activity about such transfer and records all relevant aspects. The controller also need to inform the data subject about the transfer and related relevant information.<ref>Idem, pp. 16-17</ref> | ||
=== Limitation of | === Limitation of Transfers Based on Important Reasons of Public Interest === | ||
According to Article 49(5), the European Union or Member States can provide in the law for limitations of transfers of specific categories of data to third countries, based on important reasons of public interest. This may only cover specific and limited cases, and must be expressly stated in the legal provision.<ref>Kuner, Bygrave, Docksey 2020, pp. 854-855</ref> | According to Article 49(5) GDPR, the European Union or Member States can provide in the law for limitations of transfers of specific categories of data to third countries, based on important reasons of public interest. This may only cover specific and limited cases, and must be expressly stated in the legal provision.<ref>Kuner, Bygrave, Docksey 2020, pp. 854-855</ref> | ||
---- | ---- | ||
Revision as of 16:12, 19 August 2021
Legal Text
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
- (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
- (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
- (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- (d) the transfer is necessary for important reasons of public interest;
- (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
- (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
Relevant Recitals
Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.
Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.
Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.
In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.
Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
Commentary
Overview
The derogations from Article 49 GDPR are a limited closed list of exceptions that can be applied for international transfers of data to third-countries when no other mechanism of Chapter V can be applied. As explained by the EDPB,[1] the mechanism in Chapter V act as a layer structure with three different levels: In the first place, an adequacy decision from Article 45 shall be used, when it exists. In the second place, appropriate safeguards from Article 46 GDPR, such as binding corporate rules or contractual clauses, shall be used. Lastly, lacking any of the above mentioned options, derogations from Article 49 GDPR may be used. Additionally, Article 44 GDPR must be also be complied with, meaning that any transfer based on a derogation shall anyhow meet the conditions contained in the provisions of the GDPR: data protection principles are still applicable, and the transfer must be based on a legal basis.[2] According to the same Article, the level of protection that the GDPR offers to natural persons shall not be undermined and fundamental rights shall never be breached. An adequate level of protection shall be always ensured. [3] It is important to note that derogations shall be interpreted restrictively.[4] Following the logic that exceptions shall not become the rule, two main limitations apply in a general sense for the transfer based on any of the options for derogations: transfers shall be occasional and non-repetitive and a necessity test shall always be carried out.[5]
Consent
According to Article 49(1)(a) GDPR, transfers to third countries can happen when “the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards”. Here, the general conditions for consent from Article 7 GDPR apply.[6] However, differently from such Article, that only requires unambiguous consent, this derogation is stricter and requires an explicit consent from the data subject, given the risk involved. This requires an express statement of consent from the data subject.[7]
Consent shall also be specific and informed. Consent needs to be specifically given for the processing regarding the transfer, ensuring a level of transparency that allows the data subject to be aware of the particular existing risks. General consent for other processing related processing activities is not valid. This is related to the requirement of informed consent, as the data subject can only know about the risks involved if they are properly informed about the specific circumstances of the transfer and the risks it might pose. The data subject must therefore have full knowledge of the specific facts of the transfers, and the risks that a data transfer to a third country which does not ensure the same level of protection entails.[8]
The consent, in accordance to Article 7 GDPR, shall be always withdraw-able.[9]
Necessary for the Performance of a Contract Between the Data Subject and the Controller or for the Implementation of Pre-contractual Measures
According to Article 49(1)(b) GDPR, transfers to third countries can take place when the “transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request”. The use of this derogation is limited by the two above-mentioned conditionings: a necessity test is needed and the transfer may only be occasional, as Recital 111 GDPR indicates.[10]
Firstly, the transfer needs to be necessary for the performance of such contract. There shall be a substantial connection; general related activities to a contract or activities that may be carried out without such transfer are not included. Additionally, the pre-contractual steps shall be taken at the data subject request; meaning that the data subject shall explicitly request them, but not just be offered to them.[11]
Secondly, the transfer shall be occasional. Therefore, transfers that occur regularly, such as transfers derived from a business relationship that generally requires such transfers to happen, are not included. Occasional transfers derived from a particular situation that arises in a business relationship may however be included.[12] In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.
Necessary for the Conclusion or Performance of a Contract Concluded in the Interest of the Data Subject
According to Article 49(1)(c) GDPR, transfers to third countries can take place when the transfer is “necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person”. Similarly to derogation from Article 49(1)(b) GDPR, this derogation may only be applied in an occasional basis and carrying out a necessity test. There shall be a close and substantial link between the transfer and a contract concluded in the data subject’s interest.[13] In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.
Necessary for Important Reasons of Public Interest
According to Article 49(1)(d) GDPR, transfers to third countries can take place when the transfer is “necessary for important reasons of public interest”. Only public interests recognized in Union law or in the law of the Member State to which the controller is subject may be taken into account, in accordance with Article 49(4) GDPR. The provision that defines such public interest must not be abstract; it needs to particularly address the same activity linked to the transfer in both countries. They will be allowed, for example, for important public interest recognised in international agreements or conventions signed by both countries.[14] It is the public interest what makes the derogation applicable, not the nature of the organization. Therefore, private entities seeking such public interest may also rely on this derogation. General limitations for derogations – the transfer is occasional and a necessity test is carried out – must also be applied.[15]
Necessary for the Establishment, Exercise or Defence of Legal Claims
According to Article 49(1)(e) GDPR, transfers to third countries can take place when the “transfer is necessary for the establishment, exercise or defence of legal claims”. This includes any kind of proceeding – criminal, administrative or arbitration proceedings, for example – and pre-trial discovery procedures, as long as the processing is closely related to the activity, it is made occasionally and is not repetitive and refers not a mere possibility but to a particular proceeding. The only condition regarding the nature of the procedure is that it must have its basis in law. There must be a substantial connection between the transfer and the specific exercise of such right, and only the data that is particularly necessary for such exercise shall be transferred. [16]
Necessary to Protect Vital Interests of the Data Subject or Others, Where Physically or Legally Incapable of Giving Consent
According to Article 49(1)(f) GDPR, transfers to third countries can take place when the “transfer necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent”. In this case, what is relevant is the incapacity of the data subject to provide consent. If the data subject is able to consent, even if the data transfer is necessary to protect their vital interest, this derogation shall not be applied; but derogation from Article 49(1)(a) GDPR. [17]
The incapacity may be physical, mental or legal. Therefore, a case of a medical emergency in which the data subject is unconscious is a good example. The data subject may also be mentally incapable of giving consent, or may not have legal capacity – e.g. because they are a minor.[18] Such incapability needs to be proved, and the data subject must be facing an imminent risk of serious harm. This derogation may also apply in case of armed conflict or rescue and retrieval operations.[19]
Transfers Made from a Public Register
According to Article 49(1)(g), transfers to third countries can take place when the “transfer is made from a public registry”. Such register must be open to public consultation by the public in general or by anyone who can demonstrate a legitimate interest. Two conditions must be met: firstly, the conditions for consultation set by the law must be fulfilled, and secondly, the principles of the GDPR must be applied, meaning that the controller needs to asses if the transfer is appropriate, considering the interests and rights of the data subject. In accordance with Article 49(3) GDPR, this derogation cannot apply to activities carried out by public authorities in the exercise of their public powers.
Compelling Legitimate Interests of the Controller
According to Article 49(1)(2) GDPR, transfers to third countries can take place when the transfer takes place due to a “compelling legitimate interests of the controller”. This derogation may only be applicable when no mechanisms from Articles 45, 46 GDPR and no other derogation can apply. It shall only be used in residual cases, when there is no other option available. The legitimate interest of the controller shall not be overridden by the interests and rights of the data subject. It must also be essential for the controller’s interests, non-repetitive, and the controller must be able to demonstrate the necessity for such transfer.[20]
For this, a balancing test needs to be carried out. This shall include the balancing of the controller’s interest against the data subject interest and rights. Suitable additional safeguards must be provided to reduce the risk and the impact of the transfer. For evidence purposes, it is also recommendable that the controller informs the supervisory activity about such transfer and records all relevant aspects. The controller also need to inform the data subject about the transfer and related relevant information.[21]
Limitation of Transfers Based on Important Reasons of Public Interest
According to Article 49(5) GDPR, the European Union or Member States can provide in the law for limitations of transfers of specific categories of data to third countries, based on important reasons of public interest. This may only cover specific and limited cases, and must be expressly stated in the legal provision.[22]
Decisions
→ You can find all related decisions in Category:Article 49 GDPR
References
- ↑ EDPB Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, adopted on 25 May 2018, pp. 3-4;
- ↑ EDPB 2018, op. cit., p. 3
- ↑ Ibidem
- ↑ Kuner, Bygrave, Docksey; The EU General Data Protection Regulation (GDPR): A Commentary, Oxford University Press, Oxford, 2020, p. 846
- ↑ EDPB 2018, op. cit., pp. 4-5
- ↑ Idem, pp. 7-8
- ↑ Article 29 Working Party, Guidelines on consent under Regulation 2016/679, adopted on 28 November 2017, p. 18
- ↑ Idem, pp. 7-8
- ↑ Article 29 Working Party 2017, p. 21
- ↑ EDPB 2018, op. cit., pp. 8-9
- ↑ Kuner, Bygrave, Docksey 2020, p. 848
- ↑ EDPB 2018, op. cit., p. 9
- ↑ Idem, pp. 9-10
- ↑ Idem, p. 10
- ↑ Idem, p. 11
- ↑ Ibidem
- ↑ Idem, p. 12-13
- ↑ Ibidem
- ↑ Ibidem
- ↑ Idem, pp. 15-16
- ↑ Idem, pp. 16-17
- ↑ Kuner, Bygrave, Docksey 2020, pp. 854-855