Article 46
Transfers subject to appropriate safeguards

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 46 keyboard_arrow_down Hide the recitals of the Regulation related to article 46 keyboard_arrow_up

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

Show the recitals of the Directive related to article 46 keyboard_arrow_down Hide the recitals of the Directive related to article 46 keyboard_arrow_up

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

The GDPR

Article 46 of the Regulation repeats and details the exception laid down in article 26 (2) of the Directive, if sufficient safeguards are provided by the controller or the processor and in the absence of a Commission decision finding an adequate level of protection. We should remember here that the controller or the processor is no longer required to appreciate this level. In the absence of such a decision, the conditions of such an exception must be met (or one of those provided for in Articles 47 and 49).

The final version of the Regulation supplements paragraph 1 of Article 46, adding that the transfer with appropriate safeguards is authorised only on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The implementation of the measures listed in article 46 (2) takes place without permission of the supervisory authority; it can be:

- by a legally binding and enforceable instrument between public authorities or bodies (a) or

- by binding corporate rules in accordance with Article 47. Recital 110 adds that these corporate rules must include the essential principles and the enforceable rights providing appropriate safeguards for the transfers or the categories of transfers of personal data or

- by standard data protection clauses adopted by the Commission (c) or jointly by a supervisory authority and by the Commission (d), or

- by a an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights (e).

- by an approved certification mechanism pursuant to Article 42 certifying the compliance of the processing with the rules of the Union (f)).

Paragraph 3 details other measures for which the prior authorization of the competent supervisory authority is required. In these cases, the supervisory authority must respect the consistency mechanism defined in Article 64, stipulating that the opinion of the European Data Protection Board must be required (see 64 (1), e)).

Subject to the authorization are:

- the contractual clauses that would not have been subject to prior adoption by the Commission or by a national supervisory authority, entered into between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization (Art. 46 (3), a)) or

- provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46 (3), b)). The final version of the Regulation specifies that these arrangements should ensure the effectiveness of the rights granted to data subjects.

Lastly, Paragraph 5 states that the authorizations issued by a Member State or a supervisory authority pursuant to the Directive remain valid until their amendment, revision, or repealing by the same authority. The same applies to the decisions of the Commission taken pursuant to Article 26 (4) of the Directive.

The Directive

The Directive provided various exceptions to the prohibition of treatment resulting from the absence of an adequate level of protection.

One of them is laid down in Article 26 (2) and applies when the controller offers sufficient safeguards with respect to the protection of the privacy and fundamental rights of individuals, as well as with respect to the exercise of the corresponding rights and freedoms. This derogation implies that the controller shall have taken special measures to meet the shortfall in the level of protection of the country of destination of the personal data.

According to Article 26 (2) of the Directive, these appropriate safeguards may result from appropriate contractual clauses. Standard contractual terms have therefore been developed to regulate the transfers of data outside the EU by formalizing the protection rules contained in the Directive. Models were then adopted by the European Commission in accordance with Article 26 (4) of the Directive. In practice, this provision gave the Commission the power to find, by way of decision, that some standard contractual clauses offered sufficient safeguards, which then required the Member States to authorise the transfers based on these standard contractual clauses. The Commission decision should be adopted in accordance with the procedure laid down in Article 31, paragraph 2, providing for referral to the Committee under article 31 (see decisions 2001/497/EC 2002/16/EC; 2004/915/EC; 2010/87/EU).

An alternative to the standard contractual clauses has emerged since 2003: the internal corporate rules (called Binding Corporate Rules). Though initially sceptical, it was the Article 29 Working Party who developed this system in its working paper WP 74 of 3 June 2003  (working paper WP 74: Transfers of personal data to third countries pursuant to article 26 (2) of the Directive). It is a global and unique alternative that allows regulating all transfers of data within a group of undertakings, without systematically verifying the legal basis for the transfer (see the comments on Article 43 on the Binding Corporate Rules).

Potential issues

The new system is certainly clearer than the previous: safeguards need to be provided in the absence of a decision on adequacy by the Commission. The choice of safeguards is expanded and the national supervisory authorities will be able to intervene in a formalized procedure if the conventional safeguards cannot be implemented for reasons specific to the controller or the processor.

Of course, a specific difficulty would arise if the controller or the processor had considered, in the absence of official position of the Commission, that the recipient was located on a territory offering an adequate level of protection. They must then take one of the measures proposed to be in compliance with the Regulation. 

Regulation
1e 2e

Art. 46

1.   In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.   The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

a) a legally binding and enforceable instrument between public authorities or bodies;

b) binding corporate rules in accordance with Article 47;

c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.   Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4.   The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5.   Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

1st proposal close

Art. 42

1.           Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

2.           The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

(a)     binding corporate rules in accordance with Article 43; or

(b)     standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or

(c)     standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or

(d)     contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.

3.           A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

4.           Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

5.           Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.

2nd proposal close

Art. 42

1. In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to (...) a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, also covering onward transfers (...).

2. The appropriate safeguards referred to in paragraph 1 may be provided for (...), without requiring any specific authorisation from a supervisory authority, by:

(oa) a legally binding and enforceable instrument between public authorities or bodies; or

(a) binding corporate rules referred to in Article 43; or

(b) standard data protection clauses adopted by the Commission (...) in accordance with the examination procedure referred to in Article 87(2); or

(c) standard data protection clauses adopted by a superv isory authority (....) and adopted by the Commission pursuant to the examination procedure referred to in Article 87(2).

(d) an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or

(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data (...) in the third country or international organisation; or

(b) (...)

(c) (...)

(d) provisions to be inserted into administrative arrangements between public authorities or bodies (...).

3. (...)

4. (...)

5. (...)

5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).

5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.

Directive close

Art. 26

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

In force until May 25, 2018:

The Act on Personal Data Protection

Art. 48

1. In cases other than those referred to in Article 47 paragraph 2 and 3 the transfer of personal data to a third country which does not ensure an adequate level of personal data protection in its territory may take place subject to a prior consent of the Inspector General, issued by way of an administrative decision, provided that the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject.

2. The consent of the Inspector General is not required, if the controller ensures adequate safeguards with respect to the protection privacy, rights and freedoms of the data subject, by means of:

1) standard contractual clauses on personal data protection, approved by the European Commission in accordance with Art. 26 para. 4 of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (EC OJ L 281 of 23.11.1995, p. 31, with amendments; EU OJ Special Polish edition, chapter 13, v. 15, p. 355, with amendments) or

2) legally binding personal data protection principles or policies, hereinafter referred to as “binding corporate rules”, which were approved by the Inspector General in accordance with para. 3-5.

[…]

close