Article 46 GDPR

From GDPRhub
Article 46 - Transfers subject to appropriate safeguards
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 46 - Transfers subject to appropriate safeguards

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Recital 108: Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

Recital 109: Standard Data-Protection Clauses
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

Commentary

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the instruments regulated by Article 46 are very important, since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. Therefore, in the absence of such instruments, data transfer would be precluded to a large part of the planet.

(1) Scope

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision, by means of appropriate safeguards. Although the provision seems to limit its scope to cases where there is no adequacy decision, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and can therefore be additional elements to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid, or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of data subject rights.[1]

Appropriate Safeguards

According to Recital 108, appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses (also known as standard contractual clauses or SCCs) adopted by the European Commission (Commission), standard data protection clauses adopted by a data protection authority (DPA) or contractual clauses authorised by a DPA. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union.This includes the availability of enforceable data subject rights and of effective legal remedies, the possibility to obtain effective administrative or judicial redress, as well as to claim compensation, in the Union or in a third country.

Enforceable Data Subject Rights

Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes, in particular, the right of access (Article 15 GDPR), rectification (Article 16 GDPR), deletion (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection (Article 21 GDPR) and the right to ‘claim damages’ in the EU or in a third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce them, the data subject must also have effective remedies at their disposal. The absence of an adequacy decision entails that there are no legal provisions on which the data subject can rely on if they wish to enforce their rights. Therefore, a different legal avenue is required. This can only be based on a voluntary commitment of the data processing body in the third country, which can be expressed in a construction such as a civil law contract for the benefit of third parties, which in this case would be the data subjects.

Effective Legal Remedies

A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".[2]

All the Above post Schrems II

In Schrems II, the CJEU held that the notions of appropriate safeguards, enforceable rights, and effective legal remedies under Article 46 GDPR must be interpreted in light of Article 44 GDPR, which states that “all provisions [in Chapter V, including Article 46 GDPR and its SCCs] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [the GDPR] is not undermined”. The Court continued: “that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out”. In particular, in the absence of an adequacy decision, and with specific regard to the SCCs, the data exporter should determine whether the laws of the data importer’s country provide an “essentially equivalent” protection of personal data to that guaranteed under EU law. Should that not be the case, “supplementary measures” must be implemented and, if such measures would still not provide an “essentially equivalent” protection, the data transfer must then be suspended.

The EDPB has provided specific guidance on the matter. In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions.[3] As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not cover the entire legal system of the third country, but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines relevant to the specific processing activity. Once the relevant laws have been identified, the third-country law’s compliance with the essential elements of clarity and predictability should then be verified. Finally, an assessment should be made as to whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety. The mere absence of either of such requirements should lead to the blocking of transfers to the third country unless “additional safeguards” are available to protect the transferred personal data. The EDPB, in its Recommendations 1/2020 paper, mentions mostly encryption and pseudonymisation. However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.[4]

The CJEU has hereby imposed a considerable burden on data exporters who wish to transfer personal data to any third country. They must actively deal with the legal situation in the third country on an ongoing basis. From this point of view, the Schrems II ruling may indicate a certain trend towards the establishment of EU-based servers and storage space.

(2) Appropriate Safeguards

Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use to transfer data without a prior authorisation from the DPA. The list includes the following transfer instruments (or safeguards): (a) a legally binding and enforceable instruments between public authorities or bodies; (b) binding corporate rules in accordance with Article 47 GDPR; (c) standard data protection clauses adopted by the Commission; (d) standard data protection clauses adopted by a DPA and subsequently approved by the Commission; (e) an approved code of conduct; or (f) an approved certification mechanism.

(a) Legally binding and enforceable instrument between public authorities or bodies

A “legally binding and enforceable instrument between public authorities or bodies” allows data transfers between such entities. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.[5] The provision does not clarify what is meant by an instrument. Recital 108, however, reduces the uncertainty by mentioning “administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects”.

EDPB Guidelines: on this provision there are Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

(b) Binding corporate rules in accordance with Article 47

Binding corporate rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. For more on this, please refer to the commentary on Article 47 GDPR.

(c) Standard data protection clauses adopted by the Commission under Article 93(2)

Standard data protection clauses (or SCCs), are a set of predefined clauses prepared by the European Commission and adopted under through a decision under Article 93(2) GDPR. A first set of such clauses were established by decisions 2001/497/EC and 2010/87/EU.[6] As mentioned above, with the Schrems II decision, the CJEU emphasised that not only adequacy decisions (Article 45 GDPR), but also SCCs, must ensure an essentially equivalent level of protection and that it is incumbent on the controller to ensure that additional safeguards are given where the case so requires.

Taking this into account, on 4 June 2021 the Commission adopted the Implementing Decision (EU) 2021/914, which established a new set of SCCs. These clauses transpose the main aspects of the GDPR as well as the Schrems II ruling into contractual terms. Among other things, by signing the SCCs, the contractual parties are required to, among the others, (i) fully inform the data subjects about the processing and the transfer, (ii) ensure the full exercise of their GDPR rights; (iii) provide an easy point of contact for the data subject to make any complaints or claims; (iv) continuously assess the importer’s national law and verify whether it provides an essentially equivalent level of protection and, should that not be the case, (v) adopt additional measures to solve the problem or otherwise interrupt the transfer. Moreover, (vi) data subjects should be able to be represented in court by non-profit associations, and to claim compensation for damages resulting from unlawful processing operations.

Recital 109 GDPR clarifies that there is no prohibition against "adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects". However, any amendment of the "standard clauses means that they will be considered to be ad hoc clauses that require the authorisation of the competent DPA" under Article 46(3)(a) GDPR.Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the instruments regulated by Article 46 are very important, since the vast majority of third countries or international organisations do not have their own adequacy decision under [7]

(d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission

A further innovation of the GDPR is the possibility for SCCs to be adopted not only by the Commission, but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under Article 64(1)(d) GDPR and, subsequently, the acceptance of the Commission under the procedure provided for in Article 93(2) GDPR.

(e) Approved code of conduct pursuant to Article 40

Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations (which may represent certain groups of data processors) and provide these bodies with guidelines for the application of the GDPR, for example, with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, as well as data transfers to third countries or to international organisations. For further information, please refer to the commentary on Article 40 GDPR.

EDPB Guidelines: For this provision, please see Guidelines 04/2021 on Codes of Conduct as tools for transfers

(f) Approved certification mechanism pursuant to Article 42

The GDPR does not contain a definition of "certification mechanism" although Article 42 GDPR refers to "data protection seals and marks". An example of a certification mechanism would thus "presumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice". Certification mechanisms are voluntary, but under Article 42(5) GDPR they may be approved either by a DPA or a national certification body as set out in Article 43 GDPR. A certification mechanism must contain "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards", and must thus be legally binding. No additional DPA authorisation is required for the use of a certification mechanism once it has been approved.[8]

EDPB Guidelines: on this provision, please see Guidelines 07/2022 on certification as a tool for transfers

(3) Other Safeguards which require an Authorization by the DPA

In addition to the appropriate safeguards provided for in paragraph 2, paragraph 3 opens to further hypotheses. In this case, though, the use of such safeguards require the SA's prior authorisation. The provision mentions two examples,[9] (a) contractual clauses between the controller or processor and the controller, processor or the recipient ("Ad-hoc Contractual Clauses") and (b) provisions to be inserted into administrative arrangements between public authorities ("Administrative Arrangements").

(a) Ad-hoc Contractual Clauses

Article 46(3)(a) GDPR allows the creation of specific transfer agreements between exporter and importer. It is clear that the contract should clarify the essential aspects of the transfer and follow the SCC’s structure in terms of content and safeguards. For example, clauses defining the intended purpose, the categories of data to be transmitted or the measures to prevent unauthorized access. In contrast to the subsequent Article 46(3)(b), this provision does not provide that the clauses must include "enforceable and effective data subject rights". This is evidently a drafting error since it is precisely in such cases that there is a need to protect the interests of the data subject. Consequently, the ad-hoc clauses should also contain provisions on such safeguards.

(b) Administrative Arrangements

Article 46(3)(b) GDPR permits transfers based on "provisions to be inserted into administrative arrangements between public authorities or bodies". Unlike the agreements referred to in Article 46(2)(a) above, these agreements are not "legally binding" (Recital 108 speaks of "memorandum of understandings"), which is why they require prior authorisation by the DPA. Kuner correctly points out that it is unclear "how 'enforceable and effective' rights for data subjects can be provided when the arrangements under which such rights are to be secured are themselves not legally binding".[10]

EDPB Guidelines: on this provision there are Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

(4) Consistency Mechanism in case Paragraph 3 Applies

The appropriate safeguards under paragraph 3 must be submitted to the respective DPAfor examination and approval. The supervisory authorities must not only provide an express answer, but also needs to be proactive and assess the effectiveness of the proposed safeguards. The DPA shall also apply the consistency mechanism referred to in Article 63 GDPR.

(5) Continuous Validity

Authorisations by a Member State or a DPAon the basis of Article 26(2) DPD shall remain valid until amended, replaced or repealed, if necessary, by that DPA. Similarly, decisions adopted by the Commission on the basis of Article 26(4) DPD shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of the aforementioned DPD provision.

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References

  1. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (C.H. Beck 2019).
  2. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (C.H. Beck 2019).
  3. This applies in particular with regard to the potential access to data by the third country’s authorities, because contractual guarantees, such as the standard data protection clauses agreed between the data exporter and the data importer, naturally have no binding effect vis-à-vis authorities.
  4. EDPB, ‘Guidelines 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data’, 18 June 2021 (Version 2.0), pp. 29-30 (available here).
  5. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 806 (Oxford University Press 2020).
  6. Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (available here).
  7. This is also the case with regard to the new SCCs issued by the Commission in draft form in November 2020 as per Commission Draft SCCs 2020, clause 1(c). See, Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR) Update of Selected Articles, Article 68 GDPR, p. 177.
  8. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, pp. 807-808 (Oxford University Press 2020).
  9. The use of the expression “in particular” means that the list is not exhaustive. Accordingly, other forms of appropriate safeguards are possible, provided they ensure an adequate level of protection and are authorised by the DPA.
  10. Kuner, in Kuner, Bygrave, Docksey, The EU General Data Protection Regulation (GDPR): A Commentary, Article 46 GDPR, p. 808 (Oxford University Press 2020).