On May 25th 2018, the European Data Protection Board (hereafter, the “EDPB”), already formerly known as the Article 29 Working Party, adopted Guidelines on derogation grounds contained in Article 49 GDPR, which constitute an exception to the application of general principles for the transfer of personal data to third countries or international organisations enshrined in Articles 45 and 46 GDPR.
Article 49 (1) provides that in cases where, neither an adequacy decision has been adopted by the European Commission under Article 45, nor any other appropriate safeguards, such as binding corporate rules, pursuant to Article 46 have been put in place, an international data transfer may still be made if one of the following conditions is met:
- the data subject has explicitly consented to the specific transfer proposed, after having been informed of the possible risks of such transfers;
- an occasional transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request;
- an occasional transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
- the transfer is necessary for important reasons of public interest, which have to be recognised in Union law or in the law of the Member State to which the controller is subject;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
- the transfer is made from a public register, provided that such a transfer does not involve the entirety of the personal data or entire categories;
- the transfer is necessary for the purposes of compelling legitimate interests pursued by the data controller (provided that the conditions set out in Article 49 (1) §1 are met as well).
The EDPB points out that any data transfer, in the first place, has to comply with Articles 5 and 6 concerning the lawful basis of processing activities.
With regards to Article 49, the EDPB stresses that:
- Article 49 constitutes an exemption to the general principles in international data transfer matters and should only be used when Articles 45 and 46 do not apply;
- the derogation grounds shall be interpreted restrictively in order to prevent a situation where the exception becomes the rule;
- in the case of derogation grounds described in points 2, 3, 4, 5 and 8, data exporters should apply the “necessity test” in order to assess whether a transfer can be considered necessary for the specific purpose of the derogation to be used.
Considering the single derogation grounds, the EDPB highlights the following:
- With regards to the transfer based on the data subject’s consent (point 1), the EDPB, referring to the relevant WP29 Guidelines, notes that consent must be not only be freely given, specific, informed, and unambiguous, as set out in Article 4 (11), but also Moreover, the requirements “specific” and “informed” are interlinked, meaning that the consent has to refer to the particular data transfer in question, in order to allow the data subject to evaluate the specific risks resulting from the proposed transfer. The information provided should specify the risks, such as the absence of a supervisory authority, or data subject’s rights in that country, and communicate important information such as, the data recipients, the countries to which data is being transferred, etc.
- With regards to the transfers necessary for the performance of contracts (points 2 and 3), these must be occasional and show a close substantial connection between the data transfer and the purposes of the contract.
- With respect to a transfer necessary for important reasons of a public interest (point 4), the finding of such a public interest may be legitimately assumed in the case of international agreements or conventions to which the EU or the Member States are party, on the basis of the reciprocity principle. Although this derogation also applies to non-occasional transfers, its use should be excluded for large-scale, systematic transfers for which appropriate safeguards should be put in place.
- With special regards to the transfer necessary for the purposes of compelling legitimate interests pursued by the data controller (point 8), this derogation is envisaged as a last resort that can be applied only in cases where it is not possible to use the transfer tools provided in Articles 45 or 46 or one of the specific derogations set out in Article 49 (1) §1. In addition to this, for this specific derogation to be applicable, the following conditions shall apply as well:
- Compelling legitimate interest of the controller Only interests of the data controller which can be recognised as “compelling” are relevant (assuming that these interests are not overridden by the interests or rights and freedoms of the data subject). According to the EDPB, an example of a compelling interest could be a data controller who is compelled to transfer the personal data in order to protect its organisation or systems from serious immediate harm or from a severe penalty which would seriously affect its business.
- Not repetitive transfer The derogation at stake can only apply to a transfer that is not repetitive.
- Limited number of data subjects involved The transfer must only concern a limited number of data subjects; the assessment of a “limited number” depends on the context, which means that “the number must be appropriately small taking into consideration the type of transfer in question”.
- Balancing the “compelling legitimate interests of the controller” against the “interests or rights and freedoms of the data subject” A balancing test between the data exporter’s (compelling) legitimate interest pursued and the interests or rights and freedoms of the data subject has to be performed. Furthermore, “suitable safeguards” regarding the protection of the data transferred have to be provided, as to minimize the identified risks caused by the data transfer for the data subject. In order to assess what could be considered “suitable safeguards”, the data exporter needs take into account the nature of the data, the purpose and duration of the processing as well as the situation in the country of origin, the third country and, if any, the country of final destination of the transfer.
- Information of the data protection authority The supervisory authority shall be informed about the transfer based on this specific derogation, in order to enable the authority to assess the data transfer as to its possible impact on the rights and freedoms of the data subjects affected.
- Information to the data subject The data subject shall be informed of the transfer and of the compelling legitimate interests pursued (in addition to the information provided according to Articles 13 and 14 GDPR).
In order to comply with the indications of the EDPB, data exporters shall:
- avoid using derogation grounds, as they bear increased risks for the rights and freedoms of the data subjects;
- only make use of them when no other measure contained in Articles 45 and 46 can take place;
- be aware that Union or Member State law may expressly limit transfers of specific categories of personal data, for important reasons of public interest;
- make sure that the transfer is occasional and not repetitive;
- carry out a specific “necessity test” for each derogation ground that requires it;
- in case of a transfer necessary for compelling legitimate interests, make sure that it is possible to demonstrate:
- that it was neither possible to base the data transfer by appropriate safeguards pursuant to Articles 45 and 46 nor to apply one of the derogations as contained in Article 49 (1) § 1;
- that the additional conditions (points 1 to 6 under the previous paragraph) are met.