In the context of the Schrems II case (see a summary here), we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area.
In previous papers, we focused on Binding Corporate Rules (BCR) [link] as alternatives to the Standard Contractual Clauses (SCC) [link]. This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to transfer personal data.
Derogations for specific situations: a subsidiary vehicle to transfer personal data?
Derogations for specific situations may be relied on to transfer personal data to a third country only in the absence of
- an adequacy decision (namely a decision from the European Commission recognizing a third country, a territory or specified sector within a third country, or an international organisation, as offering an adequate level of data protection), and
- appropriate safeguards such as a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, Standard Contractual Clauses, approved code of conduct or certification mechanism.
First, it is important to note that derogations allow transferring personal data are exceptions to the rule of having adequacy decisions or appropriate safeguards in place. As exceptions, they are interpreted restrictively (so that the exceptions do not become the rule).
In general, because relying on derogations triggers a higher risk for the rights and freedoms of individuals, the following overarching principles apply to the use of derogations:
- Subsidiary nature: if the third country is not covered by an adequacy decision, a data controller should first endeavour to put appropriate safeguards in place, and only in subsidiary order, could rely on the derogations under Article 49 GDPR;
- Occasional transfer: certain derogations can only be used for processing activities that are occasional and non-repetitive, excluding systematic and repeated transfers;
- Necessity test: the data transfer has to be strictly necessary for the specific purpose of the derogation that is relied on;
- Two–step approach: as for other data transfer mechanisms, use of the derogations requires to apply a two-step approach: first, the processing must comply with all GDPR principles and a legal basis must apply to the processing (see Art. 5 and 6 GDPR); secondly, one of the derogation under Article 49 must apply to the transfer at hand.
View of the Supervisory Authorities
On May 25, 2018, the European Data Protection Board (EDPB), composed of the head of one supervisory authority of each Member State, adopted Guidance on derogations in the context of international data transfers (see here), analysing the scope and conditions of each of the derogations listed below.
- Data subject’s explicit consent: in addition to the general conditions for the validity of consent, consent to a data transfer must be explicit, specifically given for that particular data transfer, and informed (including about all specific circumstances of the transfer and particularly as to the possible risks of the transfer).
- Necessity for the performance of a contract (or to take precontractual measures): this requires a close and substantial connection between the transfer and the purpose of the contract (necessity test) and the transfer to remain occasional.
- Necessity for the conclusion or performance of a contract concluded in the interest of the data subject: here again, the two criteria of necessity and occasional character of the transfer must be complied with.
- Necessity for important reasons of public interest: must also meet the necessity test, although, it is not limited to “occasional” transfers. The public interests that are invoked must be recognized under European Union or a Member State law.
- Establishment, exercise or defense of legal claims: again, the “occasional” and “necessity test” must be met. The mere possibility that legal proceedings or formal procedures may be brought in the future is not sufficient. And be aware of so-called “blocking statutes” in some jurisdictions.
- Vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent: applies, for example, is case of medical emergency.
- Transfer made from a public register: only applies to public (not private) registers. Access must comply with the conditions for consultation of the register as set under Union or national law.
- Compelling legitimate interests of the data controller not overridden by the interests or rights and freedoms of the data subject: This is a new derogation introduced by the GDPR, which can only be used as a last resort, where none of the other derogations applies? This must be properly documented.The transfer must remain limited and suitable safeguards must be implemented. Lastly, the competent supervisory authority and the data subject must be informed.
As a conclusion, it appears that relying on Article 49 derogations goes hand-in-hand with strict compliance with the accountability principle, in particular the need to demonstrate and document that a layered approach has been followed (first trying to implement appropriate safeguards).
Except for the last derogation (compelling legitimate grounds), transfer based on a derogation must not be notified to nor approved by a supervisory authorities. This means that the data controller has to make its own assessment as to the fact that the conditions for a specific derogation are met, with the risk that this would at a later stage be invalidated by a competent authority or court.