Article 46 - Transfers subject to appropriate safeguards
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 46 - Transfers subject to appropriate safeguards


1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Relevant Recitals

Recital 108: Transfers Subject to Appropriate Safeguards
In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

Recital 109: Standard Data-Protection Clauses
The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

Commentary

Article 46(1) allows the transfer of personal data to a third country or an international organisation in the absence of an adequacy decision and always 'on condition that enforceable data subject rights and effective legal remedies for data subjects are available'. This provision, together with the others contained in Chapter V, thus contributes to the transfer of personal data in a globalised economy while ensuring a level of protection comparable to that provided by European law. From a practical point of view, the hypotheses regulated by Article 46 are very important since the vast majority of third countries or international organisations do not have their own adequacy decision under Article 45 GDPR. In the absence of such instruments, therefore, data transfer would be precluded to a large part of the planet.

(1) Scope

Article 46(1) allows the transfer of personal data to a third country or an international organisation by means of appropriate safeguards and in the absence of an adequacy decision. The provision seems to limit its scope to cases where there is no adequacy decision. However, it should be pointed out that the safeguards mentioned in the provision constitute an alternative system of data transfer and are therefore additional to the adequacy decision. For example, there may be cases where the controller, for a variety of reasons, may consider that the adequacy decision is invalid or does not provide an essentially equivalent level of protection. In such circumstances, it would not make sense to inhibit the controller from using these additional tools to increase the protection of the data subject.[1]

Appropriate Safeguards

According to Recital 108 appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country.

Enforceable Data Subject Rights

Paragraph 1 clarifies that a transfer on the basis of appropriate safeguards may only take place if enforceable rights are granted to the data subject. This includes in particular. the right of access (Article 15), rectification (Article 16), deletion (Article 17), restriction of processing (Article 18), objection (Article 21) and the right to claim damages in the EU or in the third country. However, the mere granting of substantive rights is of little use to the data subject; in order to enforce it, it must also have effective remedies at its disposal. Since there are no legal provisions to which the data subject can refer if he or she wishes to enforce his or her rights, a different legal basis is required. This can only be based on a voluntary commitment of the data processing body in the third country. This voluntary commitment can be expressed in a construction such as a contract for the benefit of third parties.

Effective Legal Remedies

A further condition for the application of the safeguards in question is that the data subject must have effective legal remedies against possible infringements in the third country. This requirement clearly consists in the possibility of taking legal action in the third country. The practical feasibility of this requirement is however controversial. In many cases, the ordinary consumer will be faced with complex legal wrangling in distant and unfamiliar legal systems, including potential costs. For these reasons, some have branded this requirement as an "empty promise".[2]

Article 46 and Schrems II

In Schrems II, the CJEU found that the notions of appropriate safeguards, enforceable rights, and effective legal remedies must be interpreted in light of Article 44 GDPR, which states that ‘all provisions [in that chapter] shall be applied in order to ensure that the level of protection of natural persons guaranteed by [that regulation] is not undermined’. Thus, the Court continued, ‘that level of protection must therefore be guaranteed irrespective of the provision of that chapter on the basis of which a transfer of personal data to a third country is carried out’.

The Court of Justice of the European Union (CJEU) ruled on two key data transfer mechanisms invalidating the EU-U.S. Privacy Shield for data transfers to the U.S. and imposing enhanced due diligence on parties using the SCCs.[3] According to the decision, where such enhanced due diligence determines that the laws of the data importer’s country do not provide essentially equivalent protection of personal data to that guaranteed under EU law, supplementary measures must be implemented. If the implementation of such supplementary measures would still not provide essentially equivalent protection with respect to the data importer’s country, the data transfer must be suspended.

In practice, the data exporter must always check whether the legal situation in the recipient country enables the data importer to comply with the contractual obligations entered into – for example in the form of standard data protection clauses – such as those to process the received data exclusively in accordance with the exporter's instructions. This applies in particular with regard to the aspect of possible data access by authorities in the third country. This is because contractual guarantees such as the standard data protection clauses agreed between the data exporter and the data importer naturally have no binding effect vis-à-vis authorities.

As a consequence, the exporter must verify the state of law and practice in the third country. The analysis should not study the entire legal system of the third country but should rather be limited to the most critical areas including law enforcement, intelligence services and specific sectoral disciplines where relevant to the specific processing. Once the relevant laws have been identified, it should be verified whether the law of the third country complies with the essential elements of clarity and predictability. Finally, it should be verified whether the law meets the criterion of strict necessity in a democratic society to ensure, among others, state security, national defence or public safety.

The mere existence of such provisions should lead to the blocking of transfers to the third country. At this point, however, the EDPB introduces a new element - not actually required by Schrems II - which consists in the likelihood that the interception (theoretically) envisaged by the law will also happen in practice, or at least that it is likely to happen. In this sense, the Board refers to the 'practical experience' of the data importer. In this respect, any past experience where the importer has received requests for disclosure from local authorities, or where it is known that a certain type of transaction is subject to interception, is relevant. In addition, it is clear from the Schrems II judgment that the data exporter must also check whether legal remedies are available for data subjects. For example, in the specific case, following the bulk surveillance under the so-called Section 702 FISA and Executive Order 12.333, non-US persons were not entitled to judicial legal protection options vis-à-vis the US authorities. More over, the so-called ombudsperson mechanism, which was provided for in the EU-U.S. Privacy Shield, was also not considered by the ECJ to be a sufficient legal protection mechanism.

The Court held that the standard of essential equivalence with EU law which it had found to apply to adequacy decisions in its first Schrems judgment also applies to data transfers under appropriate guarantees. It confirmed that the standards for determining the level of protection must be based on EU law, particularly the Charter.Within these parameters, the Court upheld the use per se of SCCs as a data transfer mechanism. However, it also found that since SCCs do not bind public authorities (such as law enforcement or security authorities) in third countries, they cannot restrain such authorities from accessing data transferred under them.

Therefore, the Court held, the contracting parties should make use of ‘additional safeguards’ to protect the data in addition to those provided under the SCCs, though it did not provide details as to what such additional safeguards should be. The EDPB, in its Recommendations 1/2020 paper, the EDPB sees only encryption and pseudonymisation as measures to be taken in the case of transfers of data that → Paragraph 2d) of a third country, it is capable of effectively preventing the effects of the 'problematic law', subject to certain requirements for encryption or pseudonymisation, which are described in more detail in the og Paper (see EDPB Recommendations 1/2020, paragraphs 84, 85). However, in some transmission scenarios, it will not be possible to find additional measures that are effective and thus could still "save" the transmission.

In conclusion, personal data may not be used solely on the basis of guarantee instruments according to Article 46 are transferred to the USA, but at most if a level of protection comparable to that of the EU can be guaranteed with the help of additional measures. The ECJ has hereby imposed a considerable burden on data exporters who wish to transfer personal data to a third country. They must actively deal with the legal situation in the third country on an ongoing basis From this point of view, the Schrems II ruling of the ECJ could initiate a trend towards the retrieval of data processing processes from third countries to the European Union combined with the conversion of business processes both for data protection controllers and for providers of processing services, such as servers and storage space.

Important Incidentally, this statement of the ECJ will also be used for the other guarantee instruments within the meaning of the Kind. 46 since all these instruments are of a contractual or quasi-contractual nature and therefore cannot bind third-country authorities.

(2) Appropriate Safeguards

Article 46(2) GDPR provides a list of appropriate safeguards that the controller or processor may use. Transfers based on such instruments do not require prior authorisation from the DPA. Thus, no approval is required for transfers based on (a) a legally binding and enforceable instrument between public authorities or bodies; (b) binding corporate rules in accordance with Article 47; (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

(a) Legally binding and enforceable instrument between public authorities or bodies

The reference to 'a legally binding and enforceable instrument between public authorities or bodies' allows data transfers based on enforceable legal instruments between public authorities or bodies in the EU and those in third countries. This could include, for example, an international agreement (i.e. a treaty) to share data between an EU-based public authority and one in a third country.[4] The provision does not clarify what is meant by an instrument. Recital 108, however, makes it clear that it may be"administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects".

(b) Binding corporate rules in accordance with Article 47

The Binding Corporate Rules allow the transfer of personal data to third countries without an adequacy decision, when the transfer takes place within the same group of companies. Please refer to the commentary on Article 47 GDPR.

(c) Standard data protection clauses adopted by the Commission under Article 93(2)

The Standard Data Protection Clauses, already provided for by the previous regulation in Article 26(4) of Directive 95/46/EE, are, in fact, a set of predefined clauses prepared by the European Commission and adopted under Article 93(2) GDPR. A first set of SCCs was introduced with the decisions 2001/497/EC or Decision 2010/87/EU.[5] As already reported elsewhere, with the Schrems II decision, the EU Court of Justice emphasised that not only the adequacy decision (Article 45 GDPR) but also SCCs must ensure an essentially equivalent level of protection. Taking this into account, on 4 June 2021 the European Commission has adopted the implementing decision (EU) no. 2021/914 which established a new set of SCC. These clauses transpose the main aspects of the GDPR into contractual terms. Among other things, the contractual parties require to inform the data subject under Articles 13(1)(f) GDPR, allow the data subject to exercise its rights under the law of the Member States. The importing party must also provide an easy point of contact for the data subject to make any complaints or claims, possibly to a DPA or a court located in the European Union. Further, data subjects will be able to be represented in court by non-profit associations and to claim compensation for damages resulting from unlawful processing operations. Finally, there is an obligation to constantly check the legislation of the third country against the purposes of protecting personal data.

(d) Standard data protection clauses adopted by a supervisory authority and approved by the Commission

A further innovation of the GDPR is the possibility for standard data protection clauses to be adopted not only by the Commission but also by the DPAs of the individual Member States. The adoption of such clauses requires, firstly, the mandatory opinion of the EDPB under Article 64(1)(d) GDPR and, subsequently, the acceptance of the Commission under the procedure provided for in Article 93(2) GDPR.

(e) Approved code of conduct pursuant to Article 40

Codes of conduct are another novelty brought by the GDPR. They are drawn up by associations or associations representing certain groups of data processors and provide these bodies with guidelines for the application of provisions of the GDPR, for example with regard to technical and organisational security measures, reporting obligations in the event of data protection violations, but also data transfers to third countries or to international organisations. For further information, please refer to the commentary on Article 40 GDPR.

(f) Approved certification mechanism pursuant to Article 42

The GDPR does not contain a definition of "certification mechanism" although Article 42 refers to "data protection seals and marks". An example of a certification mechanism would thus "presumably be a trustmark placed on a website, which would have to be backed up by some sort of code of conduct or code of practice". Certification mechanisms are voluntary, but under Article 42(5) they may be approved either by a DPA or a national certification body as set out in Article 43. A certification mechanism must contain "binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards", and must thus be legally binding. No additional DPA authorisation is required for the use of a certification mechanism once it has been approved.[6]

(3) Other Safeguards which require an Authorization by the DPA

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

(a) Contractual clauses

(b) Administrative arrangements

(4) Consistency Mechanism in case Paragraph 3 Applies

(5) Continuous Validity

Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

Decisions

→ You can find all related decisions in Category:Article 46 GDPR

References

  1. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 4 (Beck 2019, 1st ed.)(accessed 3 March 2022).
  2. Schantz, in Simitis, Hornung, Spiecker gen. Döhmann, Datenschutzrecht, Article 46 GDPR, margin number 10 (Beck 2019, 1st ed.)(accessed 3 March 2022).
  3. For further details on the decision, please refer to the summary provided under Article 45 GDPR.
  4. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, p. 806 (Oxford University Press 2020).
  5. Available here (accesses 3 March 2022).
  6. Kuner, in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 46 GDPR, pp. 807-808 (Oxford University Press 2020).