I. Possibilities for data transfer pursuant to Article 46 of the GDPR:
1. Pursuant to Article 46(2)(a) of the GDPR, data may be transferred by a legally binding and enforceable instrument (international treaties, public-law treaties or self-executing administrative agreements). Any such instrument should set forth in detail:
– the core set of data protection principles: purpose limitation, data minimisation, storage limitation, integrity and confidentiality; the rights available to the data subjects, including the specific commitments taken by the parties to provide for such rights: the right to transparency, of access, to rectification, erasure, restriction of processing and to object, to automated individual decision-making and a the right to redress; the restrictions to the rights of the data subjects envisaged by Article 23 of the GDPR;
– the cases of onward transfers of data by the receiving public body or international organisation to recipients not bound by the agreement; transfer of sensitive personal data within the meaning of Article 9(1) of the GDPR (if provided for);
– the redress mechanisms available to natural persons;
– the supervision mechanisms;
– the possibilities to consult the competent supervisory authority.
2. Pursuant to Article 46(2)(e) of the GDPR, controllers/processors may transfer personal data to a third country if an approved code of conduct pursuant to Article 40 and Article 41 of the GDPR is available.
3. Pursuant to Article 46(2)(f) of the GDPR, controllers/processors may transfer personal data to a third country if an approved certification mechanism pursuant to Articles 42 and 42 of the GDPR is available.
4. Pursuant to Article 46(3)(a) of the GDPR, controllers/processors may transfer personal data to third countries subject to appropriate safeguards provided for by contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation, and the clauses so drafted should seek to achieve a level of protection of natural persons’ personal data equivalent to or higher than that ensured by the standard contractual clauses approved by the European Commission pursuant to Article 46(2)(c) of the GDPR.
5. Pursuant to Article 46(3)(b) of the GDPR, the transfer may be effected by provisions to be inserted into administrative arrangements (administrative arrangements, e.g. a Memorandum of Understanding). They must include the same information which is required when drafting the legally binding instruments pursuant to Article 46(2)(a) of the GDPR.
II. Possibilities for transfer of personal data to third countries pursuant to Article 49 of the GDPR.
1. When taking the option to apply the derogations for specific situations, regard should be had to the following general requirements: existence of a legal basis and compliance with all relevant provisions of the GDPR, including Chapter V; guarantees that natural persons’ fundamental rights will not be breached; first endeavouring possibilities to frame the data transfer with one of the mechanisms included in Articles 45 and 46 of the GDPR; assessing the presence of important reasons of public interest that limit transfers of specific categories of personal data to a third country or an international organisation (Article 49(5)); occasional and not repetitive transfers: they may happen more than once, but not regularly.
2. Pursuant to Article 49(1)(a) of the GDPR: the consent should comply with the requirements of Article 4(11) and Article 7 of the GDPR, which means that this consent must be explicit, specific and informed.
3. Pursuant to Article 49(1)(b) of the GDPR: where the transfer is necessary for the performance of a contract between the data subject and the controller or for the implementation of precontractual measures taken at the data subject’s request, it should be assessed whether the data transfer qualifies as necessary and occasional.
4. Pursuant to Article 49(1)(c) of the GDPR: where the data transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person, regard should also be had as to whether the transfer is necessary and occasional.
5. Pursuant to Article 49(1)(d) of the GDPR: where the transfer is necessary for important reasons of public interest: this derogation only applies only when it can be deduced from Union law or the law of the Member State to which the controller is subject that such data transfers are allowed for important public interest purposes.
6. Pursuant to Article 49(1)(e) of the GDPR: the transfer is necessary for the establishment, exercise or defence of legal claims. This derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future, and a close link is necessary between a data transfer and a specific procedure regarding the situation in question. A transfer of all relevant personal data in response to a request or for instituting legal procedures would not be in line with this derogation or with the GDPR. There should be a careful assessment of whether transfer of anonymised or pseudonymised data would be sufficient in the particular case.
7. Pursuant to Article 49(1)(f) of the GDPR: the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent: the data is transferred in the event of a medical emergency and where it is considered that such transfer is directly necessary in order to give the medical care required, including after the occurrence of natural disasters.
8. Upon transfer made from a public register: Article 49(1)(g) and Article 49(2) of the GDPR: the register in question must be intended to provide information to the public, and it should be borne in mind that:
– transfers from these registers may only take place if and to the extent that, in each specific case, the conditions for consultations that are set forth by Union or Member State law are fulfilled; the transfer cannot include the entirety of the personal data or entire categories of the personal data contained in the register (Article 49(2));
– data exporters would always have to consider the interests and rights of the natural persons;
– further use of personal data from such registers as stated above may only take place in compliance with applicable data protection law.
9. For the purposes of compelling legitimate interests: Article 49(1) §2 of the GDPR: in the absence of other conditions for transfer and according to the wording of the derogation, the transfer must be necessary for the purposes of pursuing compelling legitimate interests of the data controller which are not overridden by the interests or rights and freedoms of the data subject. The provision can only apply to a transfer that is not repetitive and must only concern a limited number of data subjects. The data controller must inform the supervisory authority and must inform the data subject of the transfer and of the compelling legitimate interests pursued.
Working documents of the EDPS related to the application of Art. 46 and Art. 49 :
17.05.2021
