Under GDPR, there are essentially 3 possibilities to transfer data to a country outside of the European Union (hereafter a “third country”):
- The EU Commission has adopted an adequacy decision recognizing that the third country provides a similar standard with regard to data protection as the EU (so far only Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework))
- The data controller or processor has provided appropriate safeguards (art 46 GDPR)
- The data transfers occurs exceptionally based on a derogation foreseen by GDPR (art 49 GDPR)
Regarding the 3rd option, the European Data Protection Board (EDPB), has adopted new Guidelines on 25 May 2018 (Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, hereafter the “Guideline”).
Before entering into a detailed analysis of each of the possible derogations (see below), EDPB provided a few general guidelines on how to apply these derogations.
I. General comments
- Using the exception as a last resort
The data exporter shall use a layered approach meaning it should first consider whether the third country provides an adequate level of protection.
If the level of protection is not adequate, it should consider providing appropriate safeguards within the meaning of GDPR.
Only if these 2 options cannot be fulfilled, the data exporter should consider derogations under article 49 GDPR.
2) Occasional and not repetitive transfers
EDPB provides further clarification on the terms “occasional” and “not repetitive” used within GDPR explaining that the transfers may happen more than once, but not regularly. This could mean outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals.
According to the Guideline, a transfer can generally be considered to be non-occasional or repetitive when the data importer is granted direct access to a database. (e.g. via an interface to an IT application) on a general basis.
3) The transfer must be necessary
The necessity tests (required for the use of certain derogations of Article 49 GDPR) requires an evaluation by the data exporter in the EU of whether the transfer of personal data can be considered necessary for the specific purpose of the derogation used.
4) Decisions from third country authorities or Courts
GDPR clarified that decisions from third country authorities or Courts are not in themselves legitimate grounds for data transfers to third countries (Article 48 GDPR). Therefore, a transfer in response to a request by a third country authority or Court is only lawful if in line with the conditions set out by specific Chapter of GDPR in relation to transfer of personal data to third countries.
EDPB also clarified that where an international agreement exists between the country where the data exporter is located and the country where the data importer is located, such as a legal assistance treaty, EU companies should generally refuse direct requests and refer the requesting third country authority to this agreement.
II. Specific guidelines
The Guideline then clarifies the requirements for each derogation foreseen by GDPR (art 49 1) a) to g) and 49 1) §2 GDPR) i.e.:
- In case of explicit consent by the data subject,
- Transfer necessary for the performance of the contract between the data subject and the data controller or for the implementation of precontractual measures taken at the data subject’s request,
- Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,
- Transfer is necessary for important reasons of public interest,
- Transfer is necessary for the establishment, exercise or defense of legal claims,
- Transfer is necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent,
- Transfer made from a public register,
- Transfer for compelling legitimate interest
- Data subject’s consent
a) Explicit consent
The Guideline first reminds that GDPR only allows a transfer of data to a third country based on consent if:
- The data subject has explicitly consented to the proposed transfer and
- After having been informed of the possible risks of such transfers (due to the absence of an adequacy decision and appropriate safeguards)
With regard to “explicit consent”, EDPB refers to the Guidelines adopted by WP29 and endorsed by EDPB (WP29 Guidelines on Consent under Regulation 2016/679 (WP259), page 18 Section 4. “Obtaining explicit consent).
One of the examples given by WP29 in the Guidelines on Consent show the difference between “consent” and “explicit consent”:
A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data”, and not for instance, “It is clear to me that my data will be processed”. It goes without saying that the conditions for informed consent as well as the other conditions for obtaining valid consent should be met.
b) Specific consent for the particular data transfer
One of the requirements for said transfer is that the valid consent is specific.
The Guideline clarifies that if consent is given by the data subject at a certain time for a specific purpose (e.g. delivery of goods), such consent will not suffice for the transfer of data to a data importer in a third country. In such case, explicit consent will need to be sought for this specific purpose.
c) Informed consent
Under GDPR, it is a general required that the consent is “informed”, meaning the data subject must receive certain information prior to giving his consent.
In addition to this general information requirements, for transfers to third countries, GDPR foresees additional information on the specific risk resulting from the fact that the data will be transferred to a country not providing adequate protection and that no adequate safeguards are in place.
One of the examples given by EDPB on such risks could be that there is no supervisory authority in said country or that data subject’s rights are not protected by specific legal provisions.
2) Transfer necessary for the performance of a contract between the data subject and the data controller
The Guideline reminds once more that, in this case also, the derogation can only take place if the transfer is necessary and only occasional.
a) Necessity
EDPB gives two concrete examples:
i) when the transfer cannot be considered as necessary
A corporate group has, for business purposes, centralized its payment and human resources management functions for all its staff in a third country. In such case, there is no direct and objective link between the performance of the employment contract and the transfer (This being said, EDPB also confirmed that standard contractual clauses or binding corporate rules would be suitable in this scenario)
ii) when the transfer can be considered as necessary
The transfer by a travel agent of personal data concerning their individual clients to hotels or other commercial partners for the organization of the client’s stay abroad.
An example given for occasional transfer is the situation if personal data of a sales manager, who in the context of his/her employment agreement travels to different clients in third countries, and his/her personal data are to be sent to those clients in order to arrange the meetings.
3) Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
The Guideline gives an example when this derogation may not apply:
Where an organization has, for business purposes, outsourced activities such as payroll management to service providers outside the EU, this derogation will not provide a basis for data transfers for such purposes, since no close and substantial link between the transfer and a contract concluded in the data subject’s interest can be established even if the end purpose of the transfer is the management of the pay of the employee.
However, the Guideline clarifies that other transfer tools provide a more suitable basis for such transfers such as standard contractual clauses or binding corporate rules.
4) Transfer is necessary for important reasons of public interest
The Guideline reminds here the definition of “public interest” within the meaning of GDPR (and Directive 95/46/EC before) can only be interpreted in a strict way, meaning that any request by a foreign public authority shall not fall under this derogation.
The existence of an international agreement or convention (to which the EU or the Member State are a party) which recognizes a certain objective and provides for international cooperation can be an indicator when assessing the existence of such “public interest”.
The Guideline also confirms that this derogation can be relied upon by private entities and thus not only public authorities, as the essential requirement is the finding of a public interest and not the nature of the organization.
Although transfer on this basis are not limited to “occasional” transfers, the Guideline still emphasized that such transfers shall not allow large scale transfers on a systematic manner.
5) Transfer is necessary for the establishment, exercise or defense of legal claims
The Guideline gives the following examples of transfers that could fall under this derogation:
- Transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen (e.g. anti-trust investigation),
- Formal pre-trial discovery procedures in civil litigation,
- Actions by the data exporter to institute procedures in a third country (e.g. commencing litigation or seeking approval for a merger)
The derogation shall not be used of the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.
While the Guideline clarifies that the procedure must have a legal basis, it is not limited to judicial or administrative procedures, but may cover out of court procedures.
6) Transfer necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
The Guideline clarifies that this derogation is meant for medical urgency matters.
The given example is that it must be legally possible to transfer data if the data subject, whilst outside the EU, is unconscious and in need of urgent medical care, and only an exporter (e.g. his usual doctor), established in the EU, is capable of providing the data.
The derogation cannot be used, according to the Guideline, to justify transferring personal medical data outside the EU if the purpose of the transfer is not to treat the particular case of the data subject or that of another person, but for example, to carry out general medical research that will not yield immediate results.
The incapability criteria can be physical, mental or legal (e.g. in case of a minor).
7) Transfers made from a public register
The Guideline refers to a general definition of register as a “(written) record containing regular entries of items or details” or as “an official list or record of names or items”.
Since the register must necessarily be public (private registers are excluded), they shall be open to consultation either:
- The public in general or
- Any person who can demonstrate a legitimate interest
These could be: registers of companies, registers of associations, register of criminal convictions, (land) title registers or public vehicle registers (provided the legal requirements for the consultation of said registers under local law are fulfilled).
Transfers can only be made at the request of persons with a legitimate interest and by taking into account the data subject interests and fundamental rights.
8) Transfer for compelling legitimate interest
The Guideline clarifies that this new derogation only applies if no other derogation can be used (i.e. no adequacy decision, no appropriate safeguards, but also no other derogation under Article 49 1) a) to g). The data exporter must be able to prove that none of these derogations could apply.
The data shall also be “not repetitive” and limited to a certain number of data subject (although an absolute threshold has not been set as it will depend on the context).
As regards the term “compelling legitimate interest”, it should not be confused with the definition of “legitimate interest (Art 6 1) f) GDPR).
The only example given by the Guideline is for a data controller who is compelled to transfer the personal data in order to protect its organization or systems from serious immediate harm or from a severe penalty which would seriously affect its business.
Once the “compelling legitimate interest” has been identified, the data controller shall nevertheless proceed to a balancing test between said compelling legitimate interest and the interest or rights and freedoms of the data subject. Based on this assessment, the data controller shall provide “suitable safeguards” regarding the protection of the data transferred.
The Guideline emphasized that any possible damage needs to be taken into consideration (e.g. physical, material, but also non-material e.g. relating to a loss of reputation).
The transfer under this derogation entails the information to the supervisory authority although it has been clarified that the transfer does not need to be authorized by the supervisory authority.