Apart from standard contractual clauses as a legal ground for transferring data to countries outside the EU/EES, there are GDPR Article 49 derogations applicable to international transfers. There are a total of nine exemptions. This summary will walk you through the exemptions in order to make sure your business is on top of things. Reading time: 3 minutes
Derogation from the general principle
Article 49 derogations are exemptions from the general principle. The general principle states that personal data may only be transferred to third countries if an adequate level of protection is provided for in the third country or if appropriate safeguards have been adduced and the data subjects enjoy enforceable and effective rights in order to continue to benefit from their fundamental rights and safeguards. In the absence of an adequacy decision or of appropriate safeguards pursuant to including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
The data exporter and the data importer are responsible for that the transferring complies with the GDPR. When assessing the exemptions under Article 49, it is important to do a case-by-case assessment. Furthermore, article 49 sets out standards for the “necessity” and “occasionally” of the transfer that must be premeditated.
Consent
The first ground of Article 49 derogations is consent. For consent to apply you need to make sure that the data subject explicitly has consented to the proposed transfer. You also need to inform the data subject of the possible risks of such transfers for the data subject. This includes information about the risks due to the absence of an adequacy decision and appropriate safeguards. To summarise, this ground is heavy in requirements on the data exporter since “consent” in the sense of Article 49 is different from the standard GDPR consent. For example; if you have collected data at one point with the ground consent, you can not transfer it to a third country without a new informed and specific consent. If the time-range is not that far, it can be enough with only information about the transfer to the data subject.
These high set standards for a valid consent according to article 49 makes the use of the derogation consent limited. Together with the fact that a consent can be withdrawn at any time this ground is not the most suitable if you aspire for a long term solution for transfers to third countries.
Necessary for the performance of a contract
The second ground targets the transfer necessary for the performance of a contract between the data subject and the controller. It also targets transfer necessary for the implementation of pre-contractual measures taken at the data subject’s request. The keywords for this exemption are “taken at the data subjects interest”, “occasional” and “necessary”. The “necessity trial” limits the number of cases applicable to this exemption. It requires a close and meaningful correlation between the transfer and the object of the contract.
The “occasional” trial further limits the use of this exemption. This assessment must to be done case-by-case. The transfer should not be done repetitivedly. For example, the transfer from a bank in the EU/EES to another bank in a third country can be legal under article 49 if it is occasional and necessary for the contract in question. If the transfer, on the other hand, is part of a longterm partnership between the banks, this exemption is not applicable.
The third ground of the Article 49 derogations is similar to the second. What separates the two are the contractual relationship in hand. This exemption targets the transfer made between the controller and another person or company outside EU/EES in order to enter or fulfil a contract in the interest of the data subject. The same requirements, as stated above, applies to this exemption as well.
Important public interest
The third ground makes an exemption for transfers that are necessary for an important public interest. Only public interests recognised in Union law or in the law of the Member State to which the controller is subject can lead to the application of this exemption. Furthermore, it is not enough that the nature of the organisation that transfers and/or receives data is an important public interest; the transfer itself needs to be necessary for this interest. The “occasional” trial does not limit this ground like with many of the other grounds. Therefore this ground is more suitable for longterm transfer agreements.
The fourth exemption is for the establishment, exercise or defence of legal claims. The transfer needs to be necessary for the question in hand and must be occasional.
The fifth exemption applies when you transfer data in the event of a medical emergency.
Register
The transfer of personal data from registers to a country outside of EU/EES can be allowed under certain conditions. The register must either provide information to the public or any person who can demonstrate a legitimate interest. These could be, for example, registers of companies, registers of associations, registers of criminal convictions, title registers or public vehicle registers. This exemption does not, like many of the previous, have the limitation as for “occasional”. The register can be both in written and/or electronic form.
Compelling legitimate interests
This ground is the last way out. For the use of this exemption, you must go through and dismiss all of the above. The data exporter must be able to demonstrate that it was neither possible nor appropriate to use other grounds. Personal data can be transferred under this exemption if it is necessary for compelling legitimate interests pursued by the data exporter.
Takeaways
In the light of the CJEU Judgement in Schrems ll, the court limits the use of SCC:s for third country transfers. To be able to still transfer to third countries the Article 49 derogations makes a crucial tool.