Data Transfer Based on Derogations under Article 49 of GDPR

The General Data Protection Regulation (GDPR) allows for the transfer of personal data to third countries under specific derogations outlined in Article 49. These derogations are exceptions to the general rule that personal data may only be transferred if the receiving country ensures an adequate level of protection or in the absence of appropriate safeguards. Below is a detailed overview of each derogation:

1. Explicit Consent

Conditions:

1. The data subject must provide explicit consent for the transfer of their personal data.
2. Consent must be informed, specific, and freely given.
3. The data subject should be made aware of the risks associated with the transfer, especially in the absence of adequate protection.
4. The European Data Protection Board (EDPB) guidelines outline about how companies should ask for consent before sharing personal data. They say that you should be told:

Who's Getting Your Data: Exactly who will receive your information (or at least the type of companies).

Where It's Going: The specific countries where your data will be sent.

The Legal Reason: That your consent is the reason for the data transfer.

The Risk: That the country where your data is going might not have the same strong data protection laws as the EU.

Organizations should also inform the individuals about the possible risks to their privacy which may include things like:

No Watchdog: There might not be a government agency to protect your data in that country.

Weak Rules: The data protection laws might not be as strong.

Limited Rights: You might not have the same rights as you do in the EU.

This information should be clear and easy to understand so you can make an informed decision about whether or not to agree to the data transfer.

• Consent can be withdrawn at any time, which may affect the legality of the transfer
• An interesting example given in the EDPB guidance which outlines the significance of Specific and Informed consent is given below:

"An EU company collects its customers’ data for a specific purpose (delivery of goods) without considering transferring this data, at that time, to a third party outside the EU. However, some years later, the same company is acquired by a non-EU company which wishes to transfer the personal data of its customers to another company outside the EU. In order for this transfer to be valid on the grounds of the consent derogation, the data subject should give his/her consent for this specific transfer at the time when the transfer is envisaged. Therefore, the consent provided at the time of the collection of the data by the EU company for delivery purposes is not sufficient to justify the use of this derogation for the transfer of the personal data outside the EU which is envisaged later."

2. Contractual Necessity

Conditions:

• The transfer must be necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures taken at the data subject’s request.
• The necessity of the transfer must be established, meaning there should be a close and substantial connection between the transfer and the contract.
• Transfers must be occasional, meaning they should not occur regularly or systematically.
• The data transferred must be limited to what is necessary for the purpose of the contract.
• Another derogation allows transfer of personal data to third countries based on contract between data controller and another natural/legal person in the interest of the data subject.

3. Legal Claims

Conditions:

• The transfer is necessary for the establishment, exercise, or defense of legal claims.
• There must be a clear and direct link between the transfer and the legal proceedings
• The transfer must also be occasional and necessary.
• The data exporter must ensure that only the data necessary for the legal claim is transferred.

4. Important Public Interest

Conditions:

• The transfer must be necessary for reasons of substantial public interest, which must be clearly defined and documented.
• The necessity of the transfer must be justified, and it should not undermine the fundamental rights of the data subjects.
• The transfer must be occasional and not systematic, while not explicitly outlined in Recital 111 and 112, however, based on a restrictive interpretation, systematic transfers cannot be made based on this derogation.

5. Vital Interests

Conditions:

• The transfer is necessary to protect the vital interests of the data subject or another person, particularly in emergencies (e.g., medical situations).
• The necessity of the transfer must be clearly justified, especially when the data subject is incapacitated and unable to give consent.
• The transfer must be limited to what is necessary to protect those vital interests.

6. Transfer made from a public register

• Legal Establishment: The register must be created and governed by law.
• Public Access: It must be open for consultation by the general public or individuals with a legitimate interest.
• Compliance with Conditions: Transfers can only occur if the specific conditions for consultation set by Union or Member State law are met.
• Case-by-Case Assessment: Each transfer must be evaluated individually, considering the interests and rights of the data subjects.
• Data Limitation: Only the necessary data for the specific purpose of the transfer can be shared, not the entirety of the data in the register.

6. Compelling Legitimate Interests

Conditions:

• The transfer is necessary for compelling legitimate interests pursued by the data exporter or a third party, provided that these interests are not overridden by the interests or fundamental rights of the data subject.
• The transfer must concern only a limited number of data subjects, meaning it should not apply to a large group or all individuals within a category.
• This derogation is a last resort and can only be used if no other provisions in Articles 45 or 46 apply.
• A thorough risk assessment must be conducted to evaluate the impact on the data subject's rights.
• The transfer must be occasional and not systematic

Occasional and Necessary Transfers

Occasional Transfers:

• Transfers under the derogations must be "occasional," meaning they should not occur regularly or systematically
• An occasional transfer is characterized by its infrequency and unpredictability, occurring under specific, non-repetitive circumstances
• The EDPB guidance note provides the following examples to provide more clarity on Occasional Transfer - "A data transfer that occurs regularly within a stable relationship between the data exporter and a certain data importer can basically be deemed as systematic and repeated and can therefore not be considered occasional or not-repetitive. Besides, a transfer will for example, generally be considered to be non-occasional or repetitive when the data importer is granted direct access to a database (e.g. via an interface to an IT-application) on a general basis."

Necessary Transfers:

• The necessity test is a critical component for all derogations. The transfer must be essential for the specific purpose outlined in the derogation
• Data exporters should evaluate whether the transfer is truly necessary and cannot be achieved through other means, such as anonymization or pseudonymization
• The principle of data minimization must be respected, ensuring that only the data necessary for the purpose is transferred

Conclusion

When considering the transfer of personal data to third countries under the derogations of Article 49, it is crucial for data exporters to carefully assess each situation. The conditions outlined above must be strictly adhered to, ensuring that the fundamental rights of data subjects are respected and protected. The EDPB emphasizes that these derogations should not become the norm and should only be applied in specific, justified circumstances.