Article 46 GDPR: Difference between revisions

← Article 46 - Transfers subject to appropriate safeguards →
Chapter 1: General provisions Article 1: Subject-matter and objectives Article 2: Material scope Article 3: Territorial scope Article 4: Definitions Chapter 2: Principles Article 5: Principles relating to processing of personal data Article 6: Lawfulness of processing Article 7: Conditions for consent Article 8: Conditions applicable to child’s consent in relation to information society services Article 9: Processing of special categories of personal data Article 10: Processing of personal data relating to criminal convictions and offences Article 11: Processing which does not require identification Chapter 3: Rights of the data subject Article 12: Transparent information, communication and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject Article 15: Right of access by the data subject Article 16: Right to rectification Article 17: Right to erasure (‘right to be forgotten’) Article 18: Right to restriction of processing Article 19: Notification obligation regarding rectification or erasure of personal data or restriction of processing Article 20: Right to data portability Article 21: Right to object Article 22: Automated individual decision-making, including profiling Article 23: Restrictions Chapter 4: Controller and processor Article 24: Responsibility of the controller Article 25: Data protection by design and by default Article 26: Joint controllers Article 27: Representatives of controllers or processors not established in the Union Article 28: Processor Article 29: Processing under the authority of the controller or processor Article 30: Records of processing activities Article 31: Cooperation with the supervisory authority Article 32: Security of processing Article 33: Notification of a personal data breach to the supervisory authority Article 34: Communication of a personal data breach to the data subject Article 35: Data protection impact assessment Article 36: Prior consultation Article 37: Designation of the data protection officer Article 38: Position of the data protection officer Article 39: Tasks of the data protection officer Article 40: Codes of conduct Article 41: Monitoring of approved codes of conduct Article 42: Certification Article 43: Certification bodies Chapter 5: Transfers of personal data Article 44: General principle for transfers Article 45: Transfers on the basis of an adequacy decision Article 46: Transfers subject to appropriate safeguards Article 47: Binding corporate rules Article 48: Transfers or disclosures not authorised by Union law Article 49: Derogations for specific situations Article 50: International cooperation for the protection of personal data Chapter 6: Supervisory authorities Article 51: Supervisory authority Article 52: Independence Article 53: General conditions for the members of the supervisory authority Article 54: Rules on the establishment of the supervisory authority Article 55: Competence Article 56: Competence of the lead supervisory authority Article 57: Tasks Article 58: Powers Article 59: Activity reports Chapter 7: Cooperation and consistency Article 60: Cooperation between the lead supervisory authority and the other supervisory authorities concerned Article 61: Mutual assistance Article 62: Joint operations of supervisory authorities Article 63: Consistency mechanism Article 64: Opinion of the Board Article 65: Dispute resolution by the Board Article 66: Urgency procedure Article 67: Exchange of information Article 68: European Data Protection Board Article 69: Independence Article 70: Tasks of the Board Article 71: Reports Article 72: Procedure Article 73: Chair Article 74: Tasks of the Chair Article 75: Secretariat Article 76: Confidentiality Chapter 8: Remedies, liability and penalties Article 77: Right to lodge a complaint with a supervisory authority Article 78: Right to an effective judicial remedy against a supervisory authority Article 79: Right to an effective judicial remedy against a controller or processor Article 80: Representation of data subjects Article 81: Suspension of proceedings Article 82: Right to compensation and liability Article 83: General conditions for imposing administrative fines Article 84: Penalties Chapter 9: Specific processing situations Article 85: Processing and freedom of expression and information Article 86: Processing and public access to official documents Article 87: Processing of the national identification number Article 88: Processing in the context of employment Article 89: Safeguards and derogations relating to processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes Article 90: Obligations of secrecy Article 91: Existing data protection rules of churches and religious associations Chapter 10: Delegated and implementing acts Article 92: Exercise of the delegation Article 93: Committee procedure Chapter 11: Final provisions Article 94: Repeal of Directive 95: /46: /EC Article 95: Relationship with Directive 20: 02: /58: /EC Article 96: Relationship with previously concluded Agreements Article 97: Commission reports Article 98: Review of other Union legal acts on data protection Article 99: Entry into force and application

Legal Text

1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;

(b) binding corporate rules in accordance with Article 47;

(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Commentary

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the hypotheses regulated by Article 46 are very important since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. In the absence of such instruments, therefore, data transfer would be precluded to a large part of the planet.

(1) Scope

Article 46(1) allows the transfer of personal data to a third country or an international organisation by means of appropriate safeguards and in the absence of an adequacy decision. The provision seems to limit its scope to cases where there is no adequacy decision. However, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and are therefore additional to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of the data subject.^[1]

Appropriate Safeguards

According to Recital 108 appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.

Enforceable Data Subject Rights

Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes in particular. the right of access (Article 15), rectification (Article 16), deletion (Article 17), restriction of processing (Article 18), objection (Article 21) and the right to claim damages in the EU or in the third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce it, it must also have effective remedies at its disposal. Since there are no legal provisions to which the data subject can refer if he or she wishes to enforce his or her rights, a different legal basis is required. This can only be based on a voluntary commitment of the data processing body in the third country. This voluntary commitment can be expressed in a construction such as a contract for the benefit of third parties.

Effective Legal Remedies

A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".^[2]

Article 46 and Schrems II

In Schrems II, the CJEU found that the notions of appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted in light of Article 44 GDPR, which states that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. Thus, the Court continued, ‘that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out’.

The Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs.^[3] According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide essentially equivalent protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide essentially equivalent protection with respect to the data importer’s country, the data transfer must be suspended.

In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions. This applies in particular with regard to the aspect of possible data access by authorities in the third country. This is because contractual guarantees such as the standard data protection clauses agreed between the data exporter and the data importer naturally have no binding effect vis-à-vis authorities.

As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not study the entire legal system of the third country but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines where relevant to the specific processing. Once the relevant laws have been identified, it should be verified whether the law of the third country complies with the essential elements of clarity and predictability. Finally, it should be verified whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety.

The mere existence of such provisions should lead to the blocking of transfers to the third country. At this point, however, the EDPB introduces a new element - not actually required by Schrems II - which consists in the likelihood that the interception (theoretically) envisaged by the law will also happen in practice, or at least that it is likely to happen. In this sense, the Board refers to the 'practical experience' of the data importer. In this respect, any past experience where the importer has received requests for disclosure from local authorities, or where it is known that a certain type of transaction is subject to interception, is relevant. In addition, it is clear from the Schrems II judgment that the data exporter must also check whether legal remedies are available for data subjects. For example, in the specific case, following the bulk surveillance under the so-called Section 702 FISA and Executive Order 12.333, non-US persons were not entitled to judicial legal protection options vis-à-vis the US authorities. More over, the so-called ombudsperson mechanism, which was provided for in the EU-U.S. Privacy Shield, was also not considered by the ECJ to be a sufficient legal protection mechanism.

The Court held that the standard of essential equivalence with EU law which it had found to apply to adequacy decisions in its first Schrems judgment also applies to data transfers under appropriate guarantees. It confirmed that the standards for determining the level of protection must be based on EU law, particularly the Charter.Within these parameters, the Court upheld the use per se of SCCs as a data transfer mechanism. However, it also found that since SCCs do not bind public authorities (such as law enforcement or security authorities) in third countries, they cannot restrain such authorities from accessing data transferred under them.

Therefore, the Court held, the contracting parties should make use of ‘additional safeguards’ to protect the data in addition to those provided under the SCCs, though it did not provide details as to what such additional safeguards should be. The EDPB, in its Recommendations 1/2020 paper, the EDPB sees only encryption and pseudonymisation as measures to be taken in the case of transfers of data that → Paragraph 2d) of a third country, it is capable of effectively preventing the effects of the 'problematic law', subject to certain requirements for encryption or pseudonymisation, which are described in more detail in the og Paper (see EDPB Recommendations 1/2020, paragraphs 84, 85). However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.

In conclusion, personal data may not be used solely on the basis of guarantee instruments according to Article 46 are transferred to the USA, but at most if a level of protection comparable to that of the EU can be guaranteed with the help of additional measures. The ECJ has hereby imposed a considerable burden on data exporters who wish to transfer personal data to a third country. They must actively deal with the legal situation in the third country on an ongoing basis From this point of view, the Schrems II ruling of the ECJ could initiate a trend towards the retrieval of data processing processes from third countries to the European Union combined with the conversion of business processes both for data protection controllers and for providers of processing services, such as servers and storage space.

Important Incidentally, this statement of the ECJ will also be used for the other guarantee instruments within the meaning of the Kind. 46 since all these instruments are of a contractual or quasi-contractual nature and therefore cannot bind third-country authorities.

(2) Appropriate Safeguards

Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use. Transfers based on such instruments do not require prior authorisation from the DPA. Thus, no approval is required for transfers based on (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules in accordance with Article 47; (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

(a) Legally binding and enforceable instrument between public authorities or bodies

The reference to 'a legally binding and enforceable instrument between public authorities or bodies' allows data transfers based on enforceable legal instruments between public authorities or bodies in the EU and those in third countries. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.^[4] The provision does not clarify what is meant by an instrument. Recital 108, however, makes it clear that it may be"administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects".

(b) Binding corporate rules in accordance with Article 47

The Binding Corporate Rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. Please refer to the commentary on Article 47 GDPR.

(c) Standard data protection clauses adopted by the Commission under Article 93(2)

The Standard Data Protection Clauses, already provided for by the previous regulation in Article 26(4) of Directive 95/46/EE, are, in fact, a set of predefined clauses prepared by the European Commission and adopted under Article 93(2) GDPR. A first set of SCCs was introduced with the decisions 2001/497/EC or Decision 2010/87/EU.^[5]

As already reported elsewhere, with the Schrems II decision, the EU Court of Justice emphasised that not only the adequacy decision (Article 45 GDPR) but also SCCs must ensure an essentially equivalent level of protection. Taking this into account, on 4 June 2021 the European Commission has adopted the implementing decision (EU) no. 2021/914 which established a new set of SCC. These clauses transpose the main aspects of the GDPR into contractual terms. Among other things, the contractual parties require to inform the data subject under Articles 13(1)(f) GDPR, allow the data subject to exercise its rights under the law of the Member States. The importing party must also provide an easy point of contact for the data subject to make any complaints or claims, possibly to a DPA or a court located in the European Union. Further, data subjects will be able to be represented in court by non-profit associations and to claim compensation for damages resulting from unlawful processing operations. Finally, there is an obligation to constantly check the legislation of the third country against the purposes of protecting personal data.

The GDPR makes it clear that there is no prohibition against ‘adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects’ (Recital 109). However, any amendment of the "standard clauses means that they will be considered to be ad hoc clauses that require the authorisation of the competent DPA" under Article 46(3)(a) GDPR.^[6]

(d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission

A further innovation of the GDPR is the possibility for standard data protection clauses to be adopted not only by the Commission but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under Article 64(1)(d) GDPR and, subsequently, the acceptance of the Commission under the procedure provided for in Article 93(2) GDPR.

(e) Approved code of conduct pursuant to Article 40

Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations or associations representing certain groups of data processors and provide these bodies with guidelines for the application of provisions of the GDPR, for example with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, but also data transfers to third countries or to international organisations. For further information, please refer to the commentary on Article 40 GDPR.

(f) Approved certification mechanism pursuant to Article 42

The GDPR does not contain a definition of "certification mechanism" although Article 42 refers to "data protection seals and marks". An example of a certification mechanism would thus "presumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice". Certification mechanisms are voluntary, but under Article 42(5) they may be approved either by a DPA or a national certification body as set out in Article 43. A certification mechanism must contain "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards", and must thus be legally binding. No additional DPA authorisation is required for the use of a certification mechanism once it has been approved.^[7]

(3) Other Safeguards which require an Authorization by the DPA

In addition to the appropriate safeguards provided for in paragraph 2, which, as said, do not require prior authorisation by the supervisory authority, paragraph 3 opens to further hypotheses, which, conversely, are subject to DPA's prior authorisation. The provision mentions two examples,^[8] (a) contractual clauses between the controller or processor and the controller, processor or the recipient ("Ad-hoc Contractual Clauses") and (b) provisions to be inserted into administrative arrangements between public authorities ("Administrative Arrangements").

(a) Ad-hoc Contractual Clauses

Article 46(3)(a) GDPR allows the creation of specific transfer agreements between exporter and importer. It is clear that the contract should clarify the essential aspects of the transfer and follow the SCC structure in terms of content and safeguards. For example, clauses defining the intended purpose, the categories of data to be transmitted or the measures to prevent unauthorized access. In contrast to the subsequent Article 46(3)(b), this provision does not provide that the clauses must include "enforceable and effective data subject rights". This is evidently a drafting error since it is precisely in such cases that there is a need to protect the interests of the data subject. Consequently, the ad-hoc clauses should also contain provisions on such safeguards.

(b) Administrative Arrangements

Article 46(3)(b) GDPR permits transfers based on 'provisions to be inserted into administrative arrangements between public authorities or bodies'. Unlike the agreements referred to in Article 46(2)(a) above, these agreements are not "legally binding" (Recital 108 speaks of "memorandum of understandings"), which is why they require prior authorisation by the DPA. Kuner correctly points out that it is unclear "how 'enforceable and effective' rights for data subjects can be provided when the arrangements under which such. rights are to be secured are themselves not legally binding".^[9]

(4) Consistency Mechanism in case Paragraph 3 Applies

The appropriate safeguards under paragraph 2 must be submitted to the respective supervisory authority for examination and approval. The supervisory authorities must provide an express answer, need to be proactive and assess the effectiveness of the proposed safeguards. The supervisory authority shall also apply the consistency mechanism referred to in Article 63 GDPR.

(5) Continuous Validity

Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References