Article 46
Transfers subject to appropriate safeguards

Official
Texts
Guidelines
& Caselaw
Review of
EU Regulation
Review of
Nat. Regulation
Show the recitals of the Regulation related to article 46 keyboard_arrow_down Hide the recitals of the Regulation related to article 46 keyboard_arrow_up

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

Show the recitals of the Directive related to article 46 keyboard_arrow_down Hide the recitals of the Directive related to article 46 keyboard_arrow_up

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

The GDPR

Article 46 of the Regulation repeats and details the exception laid down in article 26 (2) of the Directive, if sufficient safeguards are provided by the controller or the processor and in the absence of a Commission decision finding an adequate level of protection. We should remember here that the controller or the processor is no longer required to appreciate this level. In the absence of such a decision, the conditions of such an exception must be met (or one of those provided for in Articles 47 and 49).

The final version of the Regulation supplements paragraph 1 of Article 46, adding that the transfer with appropriate safeguards is authorised only on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The implementation of the measures listed in article 46 (2) takes place without permission of the supervisory authority; it can be:

- by a legally binding and enforceable instrument between public authorities or bodies (a) or

- by binding corporate rules in accordance with Article 47. Recital 110 adds that these corporate rules must include the essential principles and the enforceable rights providing appropriate safeguards for the transfers or the categories of transfers of personal data or

- by standard data protection clauses adopted by the Commission (c) or jointly by a supervisory authority and by the Commission (d), or

- by a an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights (e).

- by an approved certification mechanism pursuant to Article 42 certifying the compliance of the processing with the rules of the Union (f)).

Paragraph 3 details other measures for which the prior authorization of the competent supervisory authority is required. In these cases, the supervisory authority must respect the consistency mechanism defined in Article 64, stipulating that the opinion of the European Data Protection Board must be required (see 64 (1), e)).

Subject to the authorization are:

- the contractual clauses that would not have been subject to prior adoption by the Commission or by a national supervisory authority, entered into between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization (Art. 46 (3), a)) or

- provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46 (3), b)). The final version of the Regulation specifies that these arrangements should ensure the effectiveness of the rights granted to data subjects.

Lastly, Paragraph 5 states that the authorizations issued by a Member State or a supervisory authority pursuant to the Directive remain valid until their amendment, revision, or repealing by the same authority. The same applies to the decisions of the Commission taken pursuant to Article 26 (4) of the Directive.

The Directive

The Directive provided various exceptions to the prohibition of treatment resulting from the absence of an adequate level of protection.

One of them is laid down in Article 26 (2) and applies when the controller offers sufficient safeguards with respect to the protection of the privacy and fundamental rights of individuals, as well as with respect to the exercise of the corresponding rights and freedoms. This derogation implies that the controller shall have taken special measures to meet the shortfall in the level of protection of the country of destination of the personal data.

According to Article 26 (2) of the Directive, these appropriate safeguards may result from appropriate contractual clauses. Standard contractual terms have therefore been developed to regulate the transfers of data outside the EU by formalizing the protection rules contained in the Directive. Models were then adopted by the European Commission in accordance with Article 26 (4) of the Directive. In practice, this provision gave the Commission the power to find, by way of decision, that some standard contractual clauses offered sufficient safeguards, which then required the Member States to authorise the transfers based on these standard contractual clauses. The Commission decision should be adopted in accordance with the procedure laid down in Article 31, paragraph 2, providing for referral to the Committee under article 31 (see decisions 2001/497/EC 2002/16/EC; 2004/915/EC; 2010/87/EU).

An alternative to the standard contractual clauses has emerged since 2003: the internal corporate rules (called Binding Corporate Rules). Though initially sceptical, it was the Article 29 Working Party who developed this system in its working paper WP 74 of 3 June 2003  (working paper WP 74: Transfers of personal data to third countries pursuant to article 26 (2) of the Directive). It is a global and unique alternative that allows regulating all transfers of data within a group of undertakings, without systematically verifying the legal basis for the transfer (see the comments on Article 43 on the Binding Corporate Rules).

Potential issues

The new system is certainly clearer than the previous: safeguards need to be provided in the absence of a decision on adequacy by the Commission. The choice of safeguards is expanded and the national supervisory authorities will be able to intervene in a formalized procedure if the conventional safeguards cannot be implemented for reasons specific to the controller or the processor.

Of course, a specific difficulty would arise if the controller or the processor had considered, in the absence of official position of the Commission, that the recipient was located on a territory offering an adequate level of protection. They must then take one of the measures proposed to be in compliance with the Regulation. 

Group 29

European data protection board (EDPB)

Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (15 décembre 2020)

This document seeks to provide guidance as to the application of Articles 46 (2) (a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission . Public bodies may choose to use these mechanisms, which the GDPR considers more appropriate to their situation, but are also free to rely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.

The guidelines are intended to give an indication as to the expectations of the European Data Protection Board (EDPB) on the safeguards required to be put in place by a legally binding and enforceable instrument between public bodies pursuant to Article 46 (2) (a) GDPR or, subject to authorisation from the competent supervisory authority (SA), by provisions to be inserted into administrative arrangements between public bodies pursuant to Article 46 (3) (b) GDPR. The EDPB strongly recommends parties to use the guidelines as a reference at an early stage when envisaging concluding or amending such instruments or arrangements.

The guidelines are to be read in conjunction with other previous work done by the EDPB (including endorsed documents by its predecessor, the Article 29 Working Party (“WP29”)) on the central questions of territorial scope and transfers of personal data to third countries . The guidelines will be reviewed and if necessary updated, based on the practical experience gained from the application of the GDPR.

The present guidelines cover international data transfers between public bodies occurring for various administrative cooperation purposes falling within the scope of the GDPR. As a consequence and in accordance with Article 2 (2) of the GDPR, they do not cover transfers in the area of public security, defence or state security. In addition, they do not deal with data processing and transfers by competent authorities for criminal law enforcement purposes, since this is governed by a separate specific instrument, the law enforcement Directive . Finally, the guidelines only focus on transfers between public bodies and do not cover transfers of personal data from a public body to a private entity or from a private entity to a public body.

Link

Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0 (18 June 2021)

The EU General Data Protection Regulation (GDPR) was adopted to serve a dual-purpose: facilitating the free flow of personal data within the European Union, while preserving the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.

In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA. The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent. The Court also upholds the validity of standard contractual clauses, as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries.

Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum. The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.

To help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the European Data Protection Board (EDPB) has adopted these recommendations. These recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.

As a first step, the EDPB advises you, exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR. Only in some cases you may be able to rely on one of the derogations provided for in Article 49 GDPR if you meet the conditions. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.

A third step is to assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on. Examining also the practices of the third country’s public authorities will allow you to verify if the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the personal data transferred. Examining these practices will be especially relevant for your assessment where:

(i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice;

(ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking;

(iii) your transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality).

In the first two situations, you will have to suspend the transfer or implement adequate supplementary measures if you wish to proceed with it.

In the third situation, in light of uncertainties surrounding the potential application of problematic legislation to your transfer, you may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendations. You should conduct this assessment with due diligence and document it thoroughly. Your competent supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis.

A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation and/or practices impinge on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. These recommendations contain (in Annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and practices and the transfer tool you are relying on, as you will be held accountable for any decision you take on that basis. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.

A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify some of these formalities. You may need to consult your competent supervisory authorities on some of them.

The sixth and final step is to re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.

Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it. Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection. As the Court recalls, supervisory authorities will suspend or prohibit data transfers in those cases where they find that an essentially equivalent level of protection cannot be ensured, following an investigation or a complaint. Supervisory authorities will continue developing guidance for exporters and coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law.

Lien

The European Commission

Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (4 June 2021)

The models of standard contractual clauses are still relevant and were updated by the European Commission on June 4, 2021.

Link

CJEU caselaw

C-311/18 (16 July 2020)

1.   Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.

2.   Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

3.   Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

4.   Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.

5.   Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Opinion of Advocate general

Judgment of the Court

Regulation
1e 2e

Art. 46

1.   In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.   The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

a) a legally binding and enforceable instrument between public authorities or bodies;

b) binding corporate rules in accordance with Article 47;

c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.   Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4.   The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5.   Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

1st proposal close

Art. 42

1.           Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

2.           The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

(a)     binding corporate rules in accordance with Article 43; or

(b)     standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or

(c)     standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or

(d)     contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.

3.           A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

4.           Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

5.           Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.

2nd proposal close

Art. 42

1. In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to (...) a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, also covering onward transfers (...).

2. The appropriate safeguards referred to in paragraph 1 may be provided for (...), without requiring any specific authorisation from a supervisory authority, by:

(oa) a legally binding and enforceable instrument between public authorities or bodies; or

(a) binding corporate rules referred to in Article 43; or

(b) standard data protection clauses adopted by the Commission (...) in accordance with the examination procedure referred to in Article 87(2); or

(c) standard data protection clauses adopted by a superv isory authority (....) and adopted by the Commission pursuant to the examination procedure referred to in Article 87(2).

(d) an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or

(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data (...) in the third country or international organisation; or

(b) (...)

(c) (...)

(d) provisions to be inserted into administrative arrangements between public authorities or bodies (...).

3. (...)

4. (...)

5. (...)

5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).

5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.

Directive close

Art. 26

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

Schedule 4 - Cases where the eighrth principle does not apply

8. The transfer is made on terms which are of a kind approved by the Commissioner as ensuring adequate safeguards for the rights and freedoms of data subjects.

9. The transfer has been authorised by the Commissioner as being made in such a manner as to ensure adequate safeguards for the rights and freedoms of data subjects.

close