Search for:

Data Transfers: Derogations for specific situations (Art. 49 GDPR)

In the context of the “Schrems II case,” we continue our analysis of alternative vehicles allowing the transfer of personal to third countries outside the European Economic Area. In previous papers, we focused on Binding Corporate Rules (BCR) as alternatives to the Standard Contractual Clauses (SCC). This time, we will look at the so-called “derogations for specific situations” set forth under Article 49 GDPR as a subsidiary vehicle to transfer personal data.

Derogations for specific situations: a subsidiary vehicle to transfer personal data?

Derogations for specific situations may be relied on to transfer personal data to a third country only in the absence of

(i) an adequacy decision (namely a decision from the European Commission recognizing a third country, a territory or specified sector within a third country, or an international organisation, as offering an adequate level of data protection), and

(ii) appropriate safeguards such as a legally binding and enforceable instrument between public authorities or bodies, binding corporate rules, Standard Contractual Clauses, approved code of conduct or certification mechanism. First, it is important to note that derogations allow transferring personal data are exceptions to the rule of having adequacy decisions or appropriate safeguards in place. As exceptions, they are interpreted restrictively (so that the exceptions do not become the rule).

In general, because relying on derogations triggers a higher risk for the rights and freedoms of individuals, the following overarching principles apply to the use of derogations:

  • Subsidiary nature: if the third country is not covered by an adequacy decision, a data controller should first endeavour to put appropriate safeguards in place, and only in subsidiary order, could rely on the derogations under Article 49 GDPR
  • Occasional transfer: certain derogations can only be used for processing activities that are occasional and non-repetitive, excluding systematic and repeated transfers
  • Necessity test: the data transfer has to be strictly necessary for the specific purpose of the derogation that is relied on
  • Two-step approach: as for other data transfer mechanisms, use of the derogations requires to apply a two-step approach: first, the processing must comply with all GDPR principles and a legal basis must apply to the processing (see Art. 5 and 6 GDPR); secondly, one of the derogation under Article 49 must apply to the transfer at hand.

View of the Supervisory Authorities

On 25 May 2018, the European Data Protection Board (EDPB), composed of the head of one supervisory authority of each Member State, adopted Guidance on derogations in the context of international data transfers, analysing the scope and conditions of each of the derogations listed below.

  1. Data subject’s explicit consent: in addition to the general conditions for the validity of consent, consent to a data transfer must be explicit, specifically given for that particular data transfer, and informed (including about all specific circumstances of the transfer and particularly as to the possible risks of the transfer).
  2. Necessity for the performance of a contract (or to take precontractual measures): this requires a close and substantial connection between the transfer and the purpose of the contract (necessity test) and the transfer to remain occasional.
  3. Necessity for the conclusion or performance of a contract concluded in the interest of the data subject: here again, the two criteria of necessity and occasional character of the transfer must be complied with.
  4. Necessity for important reasons of public interest: must also meet the necessity test, although, it is not limited to “occasional” transfers. The public interests that are invoked must be recognized under European Union or a Member State law.
  5. Establishment, exercise or defense of legal claims: again, the “occasional” and “necessity test” must be met. The mere possibility that legal proceedings or formal procedures may be brought in the future is not sufficient. And be aware of so-called “blocking statutes” in some jurisdictions.
  6. Vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent: applies, for example, is case of medical emergency.
  7. Transfer made from a public register: only applies to public (not private) registers. Access must comply with the conditions for consultation of the register as set under Union or national law.
  8. Compelling legitimate interests of the data controller not overridden by the interests or rights and freedoms of the data subject: This is a new derogation introduced by the GDPR, which can only be used as a last resort, where none of the other derogations applies? This must be properly documented. The transfer must remain limited and suitable safeguards must be implemented. Lastly, the competent supervisory authority and the data subject must be informed.

Finally . . .

As a conclusion, it appears that relying on Article 49 derogations goes hand-in-hand with strict compliance with the accountability principle, in particular the need to demonstrate and document that a layered approach has been followed (first trying to implement appropriate safeguards).

Except for the last derogation (compelling legitimate grounds), transfer based on a derogation must not be notified to nor approved by a supervisory authorities. This means that the data controller has to make its own assessment as to the fact that the conditions for a specific derogation are met, with the risk that this would at a later stage be invalidated by a competent authority or court.

Author

Francesca Gaudino is a member of Baker McKenzie’s Information Technology & Communications Group in Milan. She focuses on data protection and security, advising particularly on legal issues that arise in the use of cutting edge technology. She has been recognized in Chambers Europe’s individual lawyer rankings from 2011 to 2014. Ms. Gaudino is a regular contributor on international publications such as World Data Protection ReviewDataGuidance, and others. She routinely holds lectures on data privacy and security at post-graduate courses of SDA – Manager Direction School of the Milan Bocconi University and Almaweb – University of Bologna. She regularly speaks at national and international conferences and workshops on the same topics.

Author

Wouter Seinen is a partner in the Firm's IP/IT & Commercial Practice Group in Amsterdam. He has significant experience in assisting national and international clients with respect to issues concerning ownership and protection of electronic data. Seinen has a particular interest in all internet-related issues on the subject of intellectual property rights. Moreover, he has a record in IT and outsourcing transactions, with a particular focus on business process outsourcing. He is also a keen negotiator and litigator.

Author

Senior IT/C lawyer

Author

Elisabeth Dehareng has been a partner in Baker McKenzie's Brussels office since 2014. Ms. Dehareng advises clients in all fields of IT, IP and new technology law, with a special focus on data protection and privacy aspects. She regularly works with companies in the healthcare, finance and transport and logistics sectors.

Author

Andre Walter is a member of the IT/IP Commercial practice group of Baker McKenzie in Amsterdam. He is a strategic compliance adviser at the data protection and privacy practice and has more than 20 years of industry experience. He managed and advised many projects across various industries, including financial services, manufacturing, healthcare, aviation, telecom, FMCG and retail