Article 45
Transfers on the basis of an adequacy decision

Official
Texts
Guidelines Caselaw Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 45 keyboard_arrow_down Hide the recitals of the Regulation related to article 45 keyboard_arrow_up

(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.

(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.

(103) The Commission may decide with effect for the entire Union that a third country, a territory or specified sector within a third country, or an international organisation, offers an adequate level of data protection, thus providing legal certainty and uniformity throughout the Union as regards the third country or international organisation which is considered to provide such level of protection. In such cases, transfers of personal data to that third country or international organisation may take place without the need to obtain any further authorisation. The Commission may also decide, having given notice and a full statement setting out the reasons to the third country or international organisation, to revoke such a decision.

(104) In line with the fundamental values on which the Union is founded, in particular the protection of human rights, the Commission should, in its assessment of the third country, or of a territory or specified sector within a third country, take into account how a particular third country respects the rule of law, access to justice as well as international human rights norms and standards and its general and sectoral law, including legislation concerning public security, defence and national security as well as public order and criminal law. The adoption of an adequacy decision with regard to a territory or a specified sector in a third country should take into account clear and objective criteria, such as specific processing activities and the scope of applicable legal standards and legislation in force in the third country. The third country should offer guarantees ensuring an adequate level of protection essentially equivalent to that ensured within the Union, in particular where personal data are processed in one or several specific sectors. In particular, the third country should ensure effective independent data protection supervision and should provide for cooperation mechanisms with the Member States' data protection authorities, and the data subjects should be provided with effective and enforceable rights and effective administrative and judicial redress.

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(106) The Commission should monitor the functioning of decisions on the level of protection in a third country, a territory or specified sector within a third country, or an international organisation, and monitor the functioning of decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC. In its adequacy decisions, the Commission should provide for a periodic review mechanism of their functioning. That periodic review should be conducted in consultation with the third country or international organisation in question and take into account all relevant developments in the third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the Commission should take into consideration the views and findings of the European Parliament and of the Council as well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No 182/2011 of the European Parliament and of the Council (12) as established under this Regulation, to the European Parliament and to the Council.

(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal data to that third country or international organisation should be prohibited, unless the requirements in this Regulation relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific situations are fulfilled. In that case, provision should be made for consultations between the Commission and such third countries or international organisations. The Commission should, in a timely manner, inform the third country or international organisation of the reasons and enter into consultations with it in order to remedy the situation.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.

(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.

(116) When personal data moves across borders outside the Union it may put at increased risk the ability of natural persons to exercise data protection rights in particular to protect themselves from the unlawful use or disclosure of that information. At the same time, supervisory authorities may find that they are unable to pursue complaints or conduct investigations relating to the activities outside their borders. Their efforts to work together in the cross-border context may also be hampered by insufficient preventative or remedial powers, inconsistent legal regimes, and practical obstacles like resource constraints. Therefore, there is a need to promote closer cooperation among data protection supervisory authorities to help them exchange information and carry out investigations with their international counterparts. For the purposes of developing international cooperation mechanisms to facilitate and provide international mutual assistance for the enforcement of legislation for the protection of personal data, the Commission and the supervisory authorities should exchange information and cooperate in activities related to the exercise of their powers with competent authorities in third countries, based on reciprocity and in accordance with this Regulation.

Show the recitals of the Directive related to article 45 keyboard_arrow_down Hide the recitals of the Directive related to article 45 keyboard_arrow_up

(56) Whereas cross-border flows of personal data are necessary to the expansion of international trade; whereas the protection of individuals guaranteed in the Community by this Directive does not stand in the way of transfers of personal data to third countries which ensure an adequate level of protection; whereas the adequacy of the level of protection afforded by a third country must be assessed in the light of all the circumstances surrounding the transfer operation or set of transfer operations;

(57) Whereas, on the other hand, the transfer of personal data to a third country which does not ensure an adequate level of protection must be prohibited;

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

(60) Whereas, in any event, transfers to third countries may be effected only in full compliance with the provisions adopted by the Member States pursuant to this Directive, and in particular Article 8 thereof;

(66) Whereas, with regard to the transfer of data to third countries, the application of this Directive calls for the conferment of powers of implementation on the Commission and the establishment of a procedure as laid down in Council Decision 87/373/EEC (1);

The GDPR

The principle of adequacy is maintained by the Regulation in Article 45, but it is nevertheless amended: the Commission is now the only body to find whether the third country, territory, or one or several areas identified in that third country or international organization in question provide an adequate level of protection.

In addition to those already contained in the Directive, Article 45 (2) of the Regulations sets out some criteria for assessing the level of adequacy: the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral ( including concerning public security, defence, national security and criminal law), the data protection rules and security measures, including rules for the onward transfer of personal data to another third country or international organization which are complied with in that country or international organization, etc. (a));

In accordance with the case-law of the Union, the Regulation also introduces as a criterion the existence and effective functioning of an independent supervisory authority with such powers of sanction, of assistance and advice to the attention of the data subjects in the exercise of their rights (b).

The adequacy of the country of destination also involves reviewing the international commitments on the protection of the personal data taken by the third country or the international organization concerned, as well as its participation in multilateral or regional systems in particular for the protection of personal data (c).

Initially, the new implemented procedure envisaged consultation with the European Data Protection Board on the assessment of the adequacy of the level of protection provided by a third country or an international organization. However, this provision was not maintained in the final version of the Regulation. 

So, the European Commission is only competent body to determine, by means of a decision taken in accordance with article 93 (2), the adequacy of the level of protection in a third country, but also of an international organization, of a territory or one or different sectors of a third country (paragraph 1 and paragraph 3).

The Commission decision on adequacy must indicate its territorial and sectoral scope, the competent supervisory authority (if any), and determine a procedure for periodic review, at least every 4 years, taking account of the relevant developments in the third country, the international organization, or territory. The Commission is also required to assess on this basis of the decisions adopted on the basis of this provision or Article 25, paragraph 4, of the Directive.

The Commission may also revoke, modify or suspend a decision on adequacy if the third country, territory or international organization no longer provides an adequate level of protection but not retroactively, in compliance with the procedure of the Board set out in Article 93 (2) of the Regulation. In case of extreme emergency, the decision repealing, amending or suspending a decision can however be taken in accordance with article 93 (3) in accordance with an accelerated procedure (paragraph 5). It should be noted that the Commission can no longer - as provided for in the Directive (Art. 25 (4)) - find that a third country does not ensure a level of protection outside a positive earlier decision.

In the event of a decision of inadequacy, the Commission shall enter into consultations with the third country or international organization with a view to remedying this situation (paragraph 6).

In the absence of a decision to the contrary, the decisions on adequacy by the Commission taken in accordance with the Directive remain valid until their modification, replacement or their repeal by a decision of the Commission adopted pursuant to paragraph 3.

As we will see below, Articles 46 to 49 allow, under certain conditions, the transfer data to a third country in the absence of a decision on adequacy (see the comments to Articles 46 to 49), especially when the controller or the processor provides appropriate safeguards to meet the shortfall in the level of protection of the country of destination of the personal data.

Paragraph 7 of Article 45 states that a decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organization in question.

The Commission shall publish a list of the third countries, territories and specified sectors within a third country and international organizations for which it has decided that an adequate level of protection is or is no longer ensured.

The Directive

As to the transfer of personal data, Article 25 of the Directive set out the principle of adequacy that a transfer of personal data to a country outside of the European Union cannot take place unless the country receiving the data ensures an adequate level of protection.

The assessment of the level of protection of the data recipient country was based on a set of factors, contained in Article 25 of the Directive as guidance. The assessment was therefore supposed to take into account all the circumstances relating to the transfer, for example, the nature of the data, the purpose and duration of the processing. It should be noted that, according to the CJEU, the independence of the third country of the supervisory authority must also be guaranteed (CJEU, 9 March 2010, C-518/7).

In this regard, it should be noted the major role played by the Article 29 Working Party in its assessment of the notion of adequate protection through various work documents completed (see in particular WP4 WP7, WP, WP 74, 12 WP 114).

The Directive also provided for mechanisms for assessment of the adequacy both at the Community level and at national level. At the community level, paragraphs 4 and 6 of the Directive vested in the Commission the power to determine the third countries which provide a level of personal data protection, in accordance with the procedure laid down in Article 31 (2) or not. According to this procedure, a representative of the Commission submitted a draft measure to take for an opinion to a Committee of representatives of the Member States, chaired by a representative of the Commission. It was the responsibility of the Commission then to set out directly applicable measures that are consistent with the view of the Committee. If this was not the case, the Commission could delay the application of these measures and the final decision should be made by the Council acting by qualified majority (see Article 31 (2) of the Directive).

The Member States had to comply with the decision of the Commission: in the case of a decision on adequacy (Art. 25 (6)), the latter should take the necessary measures and in the case of a decision of inadequacy, they had to prevent the transfers to the third countries in question (Art. 25 (4)). The Commission was then charged to enter into negotiations with the country in question to remedy this situation (Article 25 (5)).

We should remember that the Commission decision of 26 July 2000 adopting the "Safe Harbor Act" supposed to provide a framework for the transfers between the EU and the United States and comprising a series of principles for the protection of personal data has been invalidated by the Court of Justice of the European Union (CJEU, judgment of 6 October 2015, C-362/14). Notably, the Court held that the "security sphere" scheme, authorizing the interference by the US authorities in the fundamental rights of individuals, not covered by rules limiting such interference, is contrary to the Charter of Fundamental Rights of the Union.

Potential issues

The difficulties here are less legal than political.

It is probably wise to no longer let the states decide on the adequacy of the level of protection in a third country. The exclusive competence recognized to the Commission will ensure greater legal security. In the absence of a decision, it seems that the prohibition of transfer must prevail, except in application of Articles 46 et seq.

Let’s note that in doing so, the controller or the processor can no longer assess this adequacy. In the absence of a decision, they will be automatically required to cover the transfer outside the EU by one of the rules provided for in Articles 46 et seq.

Summary

European Union

European Union

European data protection board (EDPB)

Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)

This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).

Link

Recommendations on the adequacy referential under the Law Enforcement Directive - 1/2021 (2 February 2021)

The Working Party Article 29 (WP29) has published a working document on adequacy referential under the General Data Protection Regulation (GDPR) . This working document was endorsed by the European Data Protection Board (EDPB) at its first plenary.

As stated in Declaration N°21 annexed to the Lisbon Treaty, specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 of the Treaty on the Functioning of the European Union (TFEU) may prove necessary because of the specific nature of these fields.

On this basis, the EU legislator adopted Directive (EU) 2016/680 (the Law Enforcement Directive, hereinafter the ‘LED’) laying down the specific rules with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against the prevention of threats to public security.

The LED determines the grounds allowing the transfer of personal data to a third country or an international organisation in this context. One of the grounds for such transfer is the decision by the European Commission that the third country or international organisation in question ensures an adequate level of protection.

 Where the working document WP254.rev01 on adequacy referential aims to provide guidance to the European Commission on the level of data protection in third countries and international organisations under the GDPR, the present document aims to provide similar guidance under the LED. It establishes in this context the core data protection principles that have to be present in athird country or an international organisation legal framework to ensure essential equivalence with the EU framework within the scope of the LED (i.e. for processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties). In addition, it may guide third countries and international organisations interested in obtaining adequacy.

The present document focuses solely on adequacy decisions. These are implementing acts of the European Commission according to Article 36(3) of the LED.

Link

Statement on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework - 1/2022 (6 April 2022)

The EDPB welcomes the announcement of a political agreement in principle between the European Commission and the United States on 25 March on a new Trans-Atlantic Data Privacy Framework. This announcement is made at a time where transfers from the European Economic Area to the U.S. face significant challenges. The commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA individuals) when their data are transferred to the U.S. is a positive first step in the right direction. The EDPB will examine how this political agreement translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union (CJEU) in order to provide legal certainty to EEA individuals and exporters of data. At this stage, this announcement does not constitute a legal framework on which data exporters can base their data transfers to the United States. Data exporters must therefore continue taking the actions required to comply with the case law of the CJEU, and in particular its Schrems II decision of 16 July 2020. The GDPR requires that the Commission seeks an opinion of the EDPB before adopting a possible new adequacy decision recognising as satisfactory the level of data protection guaranteed by the U.S. authorities. The EDPB looks forward to assessing carefully the improvements that a new Trans-Atlantic Data Privacy Framework may bring in the light of EU law, the case-law of the CJEU and the recommendations the EDPB made on that basis. The EDPB will prepare its opinion when it receives from the European Commission all supporting documents. In particular, the EDPB will analyse in detail how these reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. The EDPB will also examine to what extent the announced independent redress mechanism respects the EEA individuals’ right to an effective remedy and to a fair trial. In particular, the EDPB will look at whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction. The EDPB remains committed to playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA individuals and organisations. The EDPB stands ready to provide the European Commission with support to help it build, together with the U.S., a new framework that fully complies with EU data protection law.

Link

Recommendations on the European Essential Guarantees for surveillance measures - 2/2020 (10 November 2020)

1. Following the Schrems I judgment, EU Data Protection Authorities assembled in the Working Party 29 drew upon the jurisprudence to identify the European Essential Guarantees, which need to be respected to make sure interferences with the rights to privacy and the protection of personal data, through surveillance measures, when transferring personal data, do not go beyond what is necessary and proportionate in a democratic society.

2. The EDPB would like to stressthat the European Essential Guarantees are based on the jurisprudence of the Court of Justice of the European Union (hereinafter: CJEU) related to Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU (hereinafter: the Charter) and, as the case may be, on the jurisprudence of the European Court of Human Rights (hereinafter: ECtHR) related to Article 8 of the European Convention on Human Rights (hereinafter: ECHR) dealing with surveillance issues in States party to the ECHR.

3. The update of this paper is meant to further develop the European Essential Guarantees, originally drafted in response to the Schrems I judgment4 by reflecting the clarifications provided by the CJEU (and by the ECtHR) since it was first published, in particular in its landmark Schrems II judgment.

4. In its Schrems II judgment, the CJEU stated that the examination of the Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries, in the light of Articles 7, 8 and 47 of the Charter, has disclosed nothing to affect the validity of that decision, but invalidated the Privacy Shield Decision. The CJEU held that the Privacy Shield Decision was incompatible with Article 45 (1) GDPR, in the light of Articles 7, 8, and 47 of the Charter. The judgment can thus serve as an example where surveillance measures in a third country (in this case the U.S. with Section 702 FISA and Executive Order 12 333) are neither sufficiently limited nor object of an effective redress available to data subjects to enforce their rights, as required under EU law in order to consider the level of protection in a third country to be “essentially equivalent” to that guaranteed within the European Union within the meaning of Article 45 (1) of the GDPR.

5. The reasons for the invalidation of the Privacy Shield also have consequences on other transfer tools. Even though the Court interpreted Article 46(1) GDPR in the context of the validity of the Standard Contractual Clauses (hereinafter: SCCs), its interpretation applies to any transfer to third countries relying on any of the tools referred to in Article 46 GDPR.

6. It is ultimately for the CJEU to judge whether interferences with a fundamental right can be justified. However, in absence of such a judgment and in application of the standing jurisprudence, data protection authorities are required to assess individual cases, either ex officio or following a complaint, and to either refer the case to a national Court if they suspect that the transfer does not comply with Article 45 where there is an adequacy decision, or to suspend or prohibit the transfer if they find Article 46 GDPR cannot be complied with and the protection of the data transferred required by EU law cannot be ensured by other means.

7. The aim of the updated European Essential Guarantees is to provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.

8. Indeed, the European Essential Guarantees form part of the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU but do not aim on their own at defining all the elements which are necessary to consider that a third country provides such a level of protection in accordance with Article 45 of the GDPR. Likewise, they do not aim on their own at defining all the elements that might be necessary to consider when assessing whether the legal regime of a third country prevents the data exporter and data importer from ensuring appropriate safeguards in accordance with Article 46 of the GDPR.

9. Therefore, the elements provided in this paper should be seen as the essential guarantees to be found in the third country when assessing the interference, entailed by a third country surveillance measures, with the rights to privacy and to data protection, rather than a list of elements to demonstrate that the legal regime of a third country as a whole is providing an essentially equivalent level of protection.

10. Article 6(3) of the Treaty on European Union establishes that the fundamental rights enshrined in the ECHR constitute general principles of EU law. However, as the CJEU recalls in its jurisprudence, the latter does not constitute, as long as the European Union has not acceded to it, a legal instrument which has been formally incorporated into EU law. Thus, the level of protection of fundamental rights required by Article 46(1) of the GDPR must be determined on the basis of the provisions of that regulation, read in the light of the fundamental rights enshrined in the Charter. This being said, according to Article 52(3) of the Charter the rights contained therein which correspond to rights guaranteed by the ECHR are to have the same meaning and scope as those laid down by that Convention, and consequently, as recalled by the CJEU, the jurisprudence of the ECtHR concerning rights which are also foreseen in the Charter of Fundamental Rights of the EU must be taken into account, as a minimum threshold of protection to interpret corresponding rights in the Charter.9 According to the last sentence of Article 52(3) of the Charter, however, “[t]his provision shall not prevent Union law providing more extensive protection.”

11. Therefore, the substance of the Essential Guarantees will continue to be partly based on the jurisprudence of the ECtHR, to the extent that the Charter as interpreted by the CJEU does not provide for a higher level of protection which prescribes other requirements than the ECtHR case law.

12. This paper explains the background and further details the four European Essential Guarantees.

Link

Retour au sommaire

Article 29 Working Party

Adequacy Referential - wp254rev.01 (6 february 2018)

(Approved by the EDPB)

The Working Party of EU Data Protection Authorities (the WP29) has previously published a Working Document on transfers of personal data to third countries (WP12). With the replacement of the Directive by the EU General Data Protection Regulation (GDPR), WP29 is revisiting WP12, its earlier guidance, to update it in the context of the new legislation and recent case law of the European Court of Justice (CJEU).

This working document seeks to update Chapter One of WP12 relating to the central question of adequate level of data protection in a third country, a territory or one or more specified sectors within that third country or in an international organization (hereafter: "third countries or international organizations").

This document will be continuously reviewed and if necessary updated in the coming years, based on the practical experience gained through the application of the GDPR. Chapters 2 (Applying the approach to countries that have ratified Convention 108) and 3 (Applying the approach to industry self-regulation) of the WP12 document should be updated at a later stage. This working paper is focused solely on adequacy decisions, which are implementing acts5 of the European Commission, according to article 45 of the GDPR. Other aspects of transfers of personal data to third countries and international organizations will be examined in following working papers that will be published separately (BCRs, derogations).

This document aims to provide guidance to the European Commission and the WP29 under the GDPR for the assessment of the level of data protection in third countries and international organizations by establishing the core data protection principles that have to be present in a third country legal framework or an international organization in order to ensure essential equivalence with the EU framework. In addition, it may guide third countries and international organizations interested in obtaining adequacy. However, the principles set out in this working document are not addressed directly to data controllers or data processors.

The present document consists of 4 Chapters:

Chapter 1: Some broad information in relation to the concept on adequacy

Chapter 2: Procedural aspects for adequacy findings under the GDPR

Chapter 3: General Data Protection Principles. This chapter includes the core general data protection principles to ensure that the level of data protection in a third country or international organization is essentially equivalent to the one established by the EU legislation.

Chapter 4: Essential guarantees for law enforcement and national security access to limit the interferences to fundamental rights. This Chapter includes the essential guarantees for law enforcement and national security access following the CJEU Schrems judgment in 2015 and based on the Essential Guarantees WP29 working document adopted in 2016.

Link

Retour au sommaire

Summary

European Union

European Union

CJEU caselaw

C-362/14 (6 october 2015) - Schrems

1.      Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data as amended by Regulation (EC) No 1882/2003 of the European Parliament and of the Council of 29 September 2003, read in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights of the European Union, must be interpreted as meaning that a decision adopted pursuant to that provision, such as Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46 on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce, by which the European Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive as amended, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.

2.      Decision 2000/520 is invalid.

Opinion of Advocate general 

Judgment of the Court

C-311/18 (16 July 2020) - Facebook Ireland et Schrems

1.   Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.

2.   Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

3.   Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

4.   Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.

5.   Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Opinion of Advocate general

Judgment of the Court

Retour au sommaire Retour au sommaire
Regulation
1e 2e

Art. 45

1.   A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

2.   When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data are being transferred;

b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules, including adequate enforcement powers, for assisting and advising the data subjects in exercising their rights and for cooperation with the supervisory authorities of the Member States; and

c) the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

3.   The Commission, after assessing the adequacy of the level of protection, may decide, by means of implementing act, that a third country, a territory or one or more specified sectors within a third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review, at least every four years, which shall take into account all relevant developments in the third country or international organisation. The implementing act shall specify its territorial and sectoral application and, where applicable, identify the supervisory authority or authorities referred to in point (b) of paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 93(2).

4.   The Commission shall, on an ongoing basis, monitor developments in third countries and international organisations that could affect the functioning of decisions adopted pursuant to paragraph 3 of this Article and decisions adopted on the basis of Article 25(6) of Directive 95/46/EC.

5.   The Commission shall, where available information reveals, in particular following the review referred to in paragraph 3 of this Article, that a third country, a territory or one or more specified sectors within a third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 of this Article, to the extent necessary, repeal, amend or suspend the decision referred to in paragraph 3 of this Article by means of implementing acts without retro-active effect. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 93(2).

On duly justified imperative grounds of urgency, the Commission shall adopt immediately applicable implementing acts in accordance with the procedure referred to in Article 93(3).

6.   The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the decision made pursuant to paragraph 5.

7.   A decision pursuant to paragraph 5 of this Article is without prejudice to transfers of personal data to the third country, a territory or one or more specified sectors within that third country, or the international organisation in question pursuant to Articles 46 to 49.

8.   The Commission shall publish in the Official Journal of the European Union and on its website a list of the third countries, territories and specified sectors within a third country and international organisations for which it has decided that an adequate level of protection is or is no longer ensured.

9.   Decisions adopted by the Commission on the basis of Article 25(6) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5 of this Article.

1st proposal close

Art. 41

1.           A transfer may take place where the Commission has decided that the third country, or a territory or a processing sector within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any further authorisation.

2.           When assessing the adequacy of the level of protection, the Commission shall give consideration to the following elements:

(a)     the rule of law, relevant legislation in force, both general and sectoral, including concerning public security, defence, national security and criminal law, the professional rules and security measures which are complied with in that country or by that international organisation, as well as effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred;

(b)     the existence and effective functioning of one or more independent supervisory authorities in the third country or international organisation in question responsible for ensuring compliance with the data protection rules, for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States; and

(c)     the international commitments the third country or international organisation in question has entered into.

3.           The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2).

4.           The implementing act shall specify its geographical and sectoral application, and, where applicable, identify the supervisory authority mentioned in point (b) of paragraph 2.

5.           The Commission may decide that a third country, or a territory or a processing sector within that third country, or an international organisation does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, in particular in cases where the relevant legislation, both general and sectoral, in force in the third country or international organisation, does not guarantee effective and enforceable rights including effective administrative and judicial redress for data subjects, in particular for those data subjects residing in the Union whose personal data are being transferred. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2), or, in cases of extreme urgency for individuals with respect to their right to personal data protection, in accordance with the procedure referred to in Article 87(3).

6.           Where the Commission decides pursuant to paragraph 5, any transfer of personal data to the third country, or a territory or a processing sector within that third country, or the international organisation in question shall be prohibited, without prejudice to Articles 42 to 44. At the appropriate time, the Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation resulting from the Decision made pursuant to paragraph 5 of this Article.

7.           The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and processing sectors within a third country and international organisations where it has decided that an adequate level of protection is or is not ensured.

8.           Decisions adopted by the Commission on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC shall remain in force, until amended, replaced or repealed by the Commission.

2nd proposal close

Art. 41

1. A transfer of personal data to (...) a third country or an international organisation may take place where the Commission has decided that the third country, or a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such transfer shall not require any specific authorisation.

2. When assessing the adequacy of the level of protection, the Commission shall, in particular, take account of the following elements:

(a) the rule of law, respect for human rights and fundamental freedoms, relevant legislation (...), both general and sectoral, data protection rules and security measures, including rules for onward transfer of personal data to another third country or international organisation, which are complied with in that third country or international organisation, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for data subjects whose personal data are being transferred (...);

(b) the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with the data protection rules including adequate sanctioning powers for assisting and advising the data subjects in exercising their rights and for co-operation with the supervisory authorities of the Union and of Member States;

(c) the international commitments the third country or international organisation concerned has entered into, or other (...) obligations arising from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

2a. The European Data Protection Board shall give the Commission an opinion for the assessment of the adequacy of the level of protection in a third country or international organization, including for the assessment whether a third country or the territory or the international organization or the specified sector no longer ensures an adequate level of protection.

3. The Commission, after assessing the adequacy of the level of protection, may decide that a third country, or a territory or one or more specified sectors within that third country, or an international organisation ensures an adequate level of protection within the meaning of paragraph 2. (...).

The implementing act shall specify its territorial and sectoral application and, where applicable, identify the (independent) supervisory authority(ies) mentioned in point (b) of paragraph 2. The implementing act shall be adopted in accordance with the examination procedure referred to in Article 87(2).

3a. Decisions adopted by the Commission on the basis of Article 25(6) (...) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 3 or 5.

4. (...)

4a. The Commission shall monitor the functioning of decisions adopted pursuant to paragraph 3 and decisions adopted on the basis of Article 25(6) or Article 26(4) of Directive 95/46/EC.

5. The Commission may decide that a third country, or a territory or a specified sector within that third country, or an international organisation no longer ensures an adequate level of protection within the meaning of paragraph 2 and may, where necessary, repeal, amend or suspend such decision without retro-active effect. The implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2) or, in cases of extreme urgency (...), in accordance with the procedure referred to in Article 87(3). (...)

5a. The Commission shall enter into consultations with the third country or international organisation with a view to remedying the situation giving rise to the Decision made pursuant to paragraph 5.

6. A decision pursuant to paragraph 5 is without prejudice to transfers of personal data to the third country, or the territory or specified sector within that third country, or the international organisation in question pursuant to Articles 42 to 44.(...)

7. The Commission shall publish in the Official Journal of the European Union a list of those third countries, territories and specified sectors within a third country and international organisations in respect of which decisions have been taken pursuant to paragraphs 3, 3a and 5.

8. (...)

Directive close

Art. 25

1. The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.

2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country.

3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2.

4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

5. At the appropriate time, the Commission shall enter into negotiations with a view to remedying the situation resulting from the finding made pursuant to paragraph 4.

6. The Commission may find, in accordance with the procedure referred to in Article 31 (2), that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article, by reason of its domestic law or of the international commitments it has entered into, particularly upon conclusion of the negotiations referred to in paragraph 5, for the protection of the private lives and basic freedoms and rights of individuals.

Member States shall take the measures necessary to comply with the Commission's decision.

close