menu MENU
arrow_back Back to the list of all Articles
Change country (Currently : Denmark) language
Contact our local member in Denmark mail_outline
Visit the website of Integra account_balance

arrow_backPrevious Article
Article 46
Next Articlearrow_forward

Transfers subject to appropriate safeguards

Official
Texts Guidelines
& Caselaw Review of
EU Regulation Review of
Nat. Regulation
Show key term(s) and Article(s) related to article 46 of the Regulation keyboard_arrow_down Hide key term(s) and Article(s) related to article 46 keyboard_arrow_up

Key words related to article 46

Show the recitals of the Regulation related to article 46 keyboard_arrow_down Hide the recitals of the Regulation related to article 46 keyboard_arrow_up

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

Show the recitals of the Directive related to article 46 keyboard_arrow_down Hide the recitals of the Directive related to article 46 keyboard_arrow_up

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

The GDPR

Article 46 of the Regulation repeats and details the exception laid down in article 26 (2) of the Directive, if sufficient safeguards are provided by the controller or the processor and in the absence of a Commission decision finding an adequate level of protection. We should remember here that the controller or the processor is no longer required to appreciate this level. In the absence of such a decision, the conditions of such an exception must be met (or one of those provided for in Articles 47 and 49).

The final version of the Regulation supplements paragraph 1 of Article 46, adding that the transfer with appropriate safeguards is authorised only on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The implementation of the measures listed in article 46 (2) takes place without permission of the supervisory authority; it can be:

- by a legally binding and enforceable instrument between public authorities or bodies (a) or

- by binding corporate rules in accordance with Article 47. Recital 110 adds that these corporate rules must include the essential principles and the enforceable rights providing appropriate safeguards for the transfers or the categories of transfers of personal data or

- by standard data protection clauses adopted by the Commission (c) or jointly by a supervisory authority and by the Commission (d), or

- by a an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights (e).

- by an approved certification mechanism pursuant to Article 42 certifying the compliance of the processing with the rules of the Union (f)).

Paragraph 3 details other measures for which the prior authorization of the competent supervisory authority is required. In these cases, the supervisory authority must respect the consistency mechanism defined in Article 64, stipulating that the opinion of the European Data Protection Board must be required (see 64 (1), e)).

Subject to the authorization are:

- the contractual clauses that would not have been subject to prior adoption by the Commission or by a national supervisory authority, entered into between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization (Art. 46 (3), a)) or

- provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46 (3), b)). The final version of the Regulation specifies that these arrangements should ensure the effectiveness of the rights granted to data subjects.

Lastly, Paragraph 5 states that the authorizations issued by a Member State or a supervisory authority pursuant to the Directive remain valid until their amendment, revision, or repealing by the same authority. The same applies to the decisions of the Commission taken pursuant to Article 26 (4) of the Directive.

The Directive

The Directive provided various exceptions to the prohibition of treatment resulting from the absence of an adequate level of protection.

One of them is laid down in Article 26 (2) and applies when the controller offers sufficient safeguards with respect to the protection of the privacy and fundamental rights of individuals, as well as with respect to the exercise of the corresponding rights and freedoms. This derogation implies that the controller shall have taken special measures to meet the shortfall in the level of protection of the country of destination of the personal data.

According to Article 26 (2) of the Directive, these appropriate safeguards may result from appropriate contractual clauses. Standard contractual terms have therefore been developed to regulate the transfers of data outside the EU by formalizing the protection rules contained in the Directive. Models were then adopted by the European Commission in accordance with Article 26 (4) of the Directive. In practice, this provision gave the Commission the power to find, by way of decision, that some standard contractual clauses offered sufficient safeguards, which then required the Member States to authorise the transfers based on these standard contractual clauses. The Commission decision should be adopted in accordance with the procedure laid down in Article 31, paragraph 2, providing for referral to the Committee under article 31 (see decisions 2001/497/EC 2002/16/EC; 2004/915/EC; 2010/87/EU).

An alternative to the standard contractual clauses has emerged since 2003: the internal corporate rules (called Binding Corporate Rules). Though initially sceptical, it was the Article 29 Working Party who developed this system in its working paper WP 74 of 3 June 2003  (working paper WP 74: Transfers of personal data to third countries pursuant to article 26 (2) of the Directive). It is a global and unique alternative that allows regulating all transfers of data within a group of undertakings, without systematically verifying the legal basis for the transfer (see the comments on Article 43 on the Binding Corporate Rules).

Potential issues

The new system is certainly clearer than the previous: safeguards need to be provided in the absence of a decision on adequacy by the Commission. The choice of safeguards is expanded and the national supervisory authorities will be able to intervene in a formalized procedure if the conventional safeguards cannot be implemented for reasons specific to the controller or the processor.

Of course, a specific difficulty would arise if the controller or the processor had considered, in the absence of official position of the Commission, that the recipient was located on a territory offering an adequate level of protection. They must then take one of the measures proposed to be in compliance with the Regulation. 

arrow_back Previous ArticleArticle 46Next Article arrow_forward
arrow_back Previous ArticleArticle 46 Next Article arrow_forward

Group 29

European data protection board (EDPB)

Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies (15 décembre 2020)

This document seeks to provide guidance as to the application of Articles 46 (2) (a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission . Public bodies may choose to use these mechanisms, which the GDPR considers more appropriate to their situation, but are also free to rely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.

The guidelines are intended to give an indication as to the expectations of the European Data Protection Board (EDPB) on the safeguards required to be put in place by a legally binding and enforceable instrument between public bodies pursuant to Article 46 (2) (a) GDPR or, subject to authorisation from the competent supervisory authority (SA), by provisions to be inserted into administrative arrangements between public bodies pursuant to Article 46 (3) (b) GDPR. The EDPB strongly recommends parties to use the guidelines as a reference at an early stage when envisaging concluding or amending such instruments or arrangements.

The guidelines are to be read in conjunction with other previous work done by the EDPB (including endorsed documents by its predecessor, the Article 29 Working Party (“WP29”)) on the central questions of territorial scope and transfers of personal data to third countries . The guidelines will be reviewed and if necessary updated, based on the practical experience gained from the application of the GDPR.

The present guidelines cover international data transfers between public bodies occurring for various administrative cooperation purposes falling within the scope of the GDPR. As a consequence and in accordance with Article 2 (2) of the GDPR, they do not cover transfers in the area of public security, defence or state security. In addition, they do not deal with data processing and transfers by competent authorities for criminal law enforcement purposes, since this is governed by a separate specific instrument, the law enforcement Directive . Finally, the guidelines only focus on transfers between public bodies and do not cover transfers of personal data from a public body to a private entity or from a private entity to a public body.

Link

CJEU caselaw

C-311/18 (16 July 2020)

1.   Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.

2.   Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.

3.   Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.

4.   Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.

5.   Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.

Opinion of Advocate general

Judgment of the Court

arrow_back Previous ArticleArticle 46 Next Article arrow_forward
Regulation
1e 2e

Art. 46

1.   In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.   The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

a) a legally binding and enforceable instrument between public authorities or bodies;

b) binding corporate rules in accordance with Article 47;

c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.   Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4.   The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5.   Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
1st proposal close

Art. 42

1.           Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

2.           The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

(a)     binding corporate rules in accordance with Article 43; or

(b)     standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or

(c)     standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or

(d)     contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.

3.           A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

4.           Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

5.           Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.
2nd proposal close

Art. 42

1. In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to (...) a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, also covering onward transfers (...).

2. The appropriate safeguards referred to in paragraph 1 may be provided for (...), without requiring any specific authorisation from a supervisory authority, by:

(oa) a legally binding and enforceable instrument between public authorities or bodies; or

(a) binding corporate rules referred to in Article 43; or

(b) standard data protection clauses adopted by the Commission (...) in accordance with the examination procedure referred to in Article 87(2); or

(c) standard data protection clauses adopted by a superv isory authority (....) and adopted by the Commission pursuant to the examination procedure referred to in Article 87(2).

(d) an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or

(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data (...) in the third country or international organisation; or

(b) (...)

(c) (...)

(d) provisions to be inserted into administrative arrangements between public authorities or bodies (...).

3. (...)

4. (...)

5. (...)

5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).

5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.
Directive close

Art. 26

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.
Denmark
compare_arrows

27. – (1) Transfer of data to a third country may take place only if the third country in question ensures an adequate level of protection, cf. however subsection (3).

(2) The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation, in particular the nature of the data, the purpose and duration of the processing operation, the country of origin and country of final destination, the rules of law in force in the third country in question and the professional rules and security measures which are complied with in that country.

(3) In addition to the cases mentioned in subsection (1), transfer of data to a third country may take place if:

  1. the data subject has given his explicit consent; or
  2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject’s request; or
  3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or
  4. the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or
  5. the transfer is necessary in order to protect the vital interests of the data subject; or
  6. the transfer is made from a register which according to law or regulations is open to consultation either by the public in general or by any person who can demonstrate legitimate interests, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case; or
  7. the transfer is necessary for the prevention, investigation and prosecution of criminal offences and the execution of sentences or the protection of persons charged, witnesses or other persons in criminal proceedings; or
  8. the transfer is necessary to safeguard public security, the defence of the Realm, or national security.

(4) Outside the scope of the transfers referred to in subsection (3), the Data Protection Agency may authorize a transfer of personal data to a third country which does not fulfil the provisions laid down in subsection (1), where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject. Specific conditions may be laid down for the transfer. The Data Protection Agency shall inform the European Commission and the other Member States of the authorizations granted pursuant to this provision.

(5) The transfer of personal data to third countries may be carried out without authorization under the first clause of subsection (4), on the basis of contracts in accordance with the standard contractual clauses approved by the European Commission.

(6) The rules laid down in this Act shall otherwise apply to transfers of personal data to third countries in accordance with subsections (1) and (3) to (5).
arrow_back Previous ArticleArticle 46 Next Article arrow_forward
close

2016 - www.itiplaw.eu.