Article 46 GDPR

From GDPRhub
Revision as of 14:57, 19 August 2021 by JS (talk | contribs)
Article 46 - Transfers subject to appropriate safeguards
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 46 - Transfers subject to appropriate safeguards


1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Recital 108

Recital 109

Commentary

Article 46 GDPR refers to transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, which are not covered by an adequacy decision of the European Commission (public authorities or bodies are specified by the EDPB in its guidelines[1] and include government authorities (national, regional or local authorities), as well as other bodies governed by public law (executive agencies)[2]). Appropriate safeguards are more limited in scope than adequacy decisions and are tailored to particular transfers or types of transfers[3]. Public bodies can use these mechanisms or rely on other relevant tools providing appropriate safeguards in accordance with Article 46 GDPR. Such appropriate safeguards may be provided for by a legally binding and enforceable instrument between public bodies (Article 46 (2)(a) GDPR) or, subject to authorisation from the competent SA, by provisions to be inserted into administrative arrangements between public bodies which include enforceable and effective data subject rights (Article 46 (3)(b) GDPR).

The GDPR specifies in Article 46 GDPR that “in the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available”.

Article 46 and Schrems II

In Schrems II the Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs. According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide essentially equivalent protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide essentially equivalent protection with respect to the data importer’s country, the data transfer must be suspended.

The CJEU did not provide further guidance on assessing the laws of third countries, or the form that supplementary measures may take, leaving data exporters uncertain about practical next steps. The court also ruled that where organizations, including those located in the U.S., transfer data to a third country pursuant to an Article 46 GDPR data transfer mechanism, they need to consider whether the laws or practices in that third country would undermine the effectiveness of the selected safeguards in relation to EEA data.

Appropriate Safeguards

Article 46 GDPR provides for additional appropriate safeguards as tools for transfers between public bodies: Article 46 (2)(a) GDPR provides for a legally binding and enforceable instrument and Article 46 (3)(b) GDPR refers to provisions which should be inserted into administrative arrangements, bilateral or multilateral. In the light of Recital 109 and Recital 114, parties can provide for innovative solutions and go beyond what the GDPR provides in order to protect the transfers.[4]

The EDPB in its guidelines, in the light of Article 44 GDPR and of Article 46 GDPR and Recital 108 GDPR, which do not provide specific indications on the guarantees to be included in such international agreements, has concluded to a list of minimum safeguards that should be included in international agreements under Articles 46(2)(a) GDPR or Article 46(3)(b) GDPR.

“International agreement” as a term is used in the EU Treaties to refer to agreements concluded between the EU or the Member States with third countries or international organizations[5]. According to the Court of Justice the key factor to determine an international agreement is its binding force[6] whereas, administrative arrangements under Article 46(3)(b) GDPR aren’t always legally binding. The list in EDPB's guidelines includes:

Purpose and Scope

Scope and purposes should be explicitly and specifically determined and stating the categories of personal data and the type of processing.

Definitions

Important definitions such as “personal data”, “processing of personal data”, “data controller” must be included.

Data Protection Principles

The agreements must respect the purpose limitation principle and needs to specify the purposes for which personal data is to be transferred and processed. Moreover the data accuracy and minimisation principle must be respected since the data transferred and further processed must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are transmitted. In addition the agreements must respect the storage limitation principle and include a data retention clause specifying that personal data shall not be retained indefinitely. Finally the importance of security and confidentiality of data must be highlighted and the appropriate technical and organisational measures must be applied to protect personal data against accidental or unlawful access, loss, or unauthorised disclosure.

Rights of the Data Subjects

The agreement must mention and include the rights of the data subjects such as: the right to transparency, the rights of access, the right to rectification, erasure, restriction of processing and the right to object. An automated individual decision-making clause should be included stating that the receiving body will not take any decision based on automated decision making.

Right to Redress

Onward transfers to recipients not bound by the agreement should be specifically excluded by the international agreement. If the parties find it necessary to allow onward transfers, the transfer can take place under the condition that the purpose limitation principle is respected. Provisions that allow exceptions to the requirements for onward transfers also apply to international organizations[7]. The agreement should secure that data subjects will continue to benefit from redress mechanisms[8] after their data has been transferred. The receiving public body should commit to put in place a mechanism to effectively and timely handle and resolve complaints from data subjects concerning compliance with the agreed data protection safeguards. In case of unlawful processing of the personal data, the agreement should include provisions for compensation for material or non – material damages.

Independent supervision mechanisms should monitor the proper application of the agreement in order to make sure that all obligations created are respected. A termination clause should be included in the agreement.

The contractual clauses that the parties will choose to adopt and their bindings and enforceable commitments can be seen as a “code of conduct” which aims to protect data subject’ s rights.

Article 46 (2)(a) GDPR allows EEA public bodies to base transfers to public bodies in a third country or an international organisation on legally binding and enforceable instruments concluded between them without obtaining prior authorisation from a SA, while respecting the data protection principles as required by the regulation. The agreement should also regulate the way of applying these data protection principles and rights to all transferred personal data to ensure the equivalent level of protection with the GDPR[9].

Administrative Arrangements

The GDPR in its Article 46(3)(b) GDPR also provides for alternative instruments (administrative arrangements) to bring the parties’ common arrangement into force. Data transfers based on these arrangements require authorization from the competent DPA[10]. These arrangements have to ensure enforceable data subject rights and effective legal remedies and for that reason they should contain assurances that individual rights are fully provided by the national law and can be exercised by EEA individuals under the same conditions as is the case for citizens of the concerned third country[11].

The parties can use the administrative arrangements and the measures to take place which could also be acceptable as long as they provide for effective redress. Examples of acceptable measures are: specific commitments from the parties, combined with procedural mechanisms to ensure their effectiveness and provide redress to the individual, a possibility for the individual to have recourse to an alternative dispute resolution mechanism, or a combination of all of the above, as long as they provide for effective redress[12].

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References

  1. EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies, 18 January 2020, p. 8 (available here).
  2. See the definition of ‘public sector body’ and ‘body governed by public law’ in Article 2 (1) and (2) of Directive 2003/98/EC of the European Parliament and of the Council of 17 November 2003 on the re-use of public-sector information, 31 December 2003, p. 90 (available here).
  3. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, p. 802 (Oxford University Press 2020).
  4. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, p. 803 (Oxford University Press 2020).
  5. See Kuner, Comments on EDPB Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of the GDPR, May 2020, p. 1 (available here).
  6. See EUCJ, C-327/91, France v. Commission, 9 August 1994, margin number 27 (available here).
  7. See Kuner, Comments on EDPB Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of the GDPR, May 2020, p. 2 (available here).
  8. See Kuner, Comments on EDPB Guidelines 2/2020 on articles 46(2)(a) and 46(3)(b) of the GDPR, May 2020, p. 2 (available here),“should make it clear that the alternative redress mechanisms could include those implemented by international organisations”.
  9. EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies, 18 January 2020, p. 17 (available here).
  10. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, p. 808 (Oxford University Press 2020).
  11. EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies, 18 January 2020, p. 17 (available here).
  12. EDPB, Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies, 18 January 2020, p. 17 (available here), When integrating alternative redress mechanisms in binding and enforceable instruments pursuant to Article 46(2)(a) GDPR, the EDPB recommends also seeking advice from the competent SA.