Article 46
Transfers subject to appropriate safeguards
(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.
(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.
(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.
(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.
(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;
The GDPR
Article 46 of the Regulation repeats and details the exception laid down in article 26 (2) of the Directive, if sufficient safeguards are provided by the controller or the processor and in the absence of a Commission decision finding an adequate level of protection. We should remember here that the controller or the processor is no longer required to appreciate this level. In the absence of such a decision, the conditions of such an exception must be met (or one of those provided for in Articles 47 and 49).
The final version of the Regulation supplements paragraph 1 of Article 46, adding that the transfer with appropriate safeguards is authorised only on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
The implementation of the measures listed in article 46 (2) takes place without permission of the supervisory authority; it can be:
- by a legally binding and enforceable instrument between public authorities or bodies (a) or
- by binding corporate rules in accordance with Article 47. Recital 110 adds that these corporate rules must include the essential principles and the enforceable rights providing appropriate safeguards for the transfers or the categories of transfers of personal data or
- by standard data protection clauses adopted by the Commission (c) or jointly by a supervisory authority and by the Commission (d), or
- by a an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights (e).
- by an approved certification mechanism pursuant to Article 42 certifying the compliance of the processing with the rules of the Union (f)).
Paragraph 3 details other measures for which the prior authorization of the competent supervisory authority is required. In these cases, the supervisory authority must respect the consistency mechanism defined in Article 64, stipulating that the opinion of the European Data Protection Board must be required (see 64 (1), e)).
Subject to the authorization are:
- the contractual clauses that would not have been subject to prior adoption by the Commission or by a national supervisory authority, entered into between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization (Art. 46 (3), a)) or
- provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46 (3), b)). The final version of the Regulation specifies that these arrangements should ensure the effectiveness of the rights granted to data subjects.
Lastly, Paragraph 5 states that the authorizations issued by a Member State or a supervisory authority pursuant to the Directive remain valid until their amendment, revision, or repealing by the same authority. The same applies to the decisions of the Commission taken pursuant to Article 26 (4) of the Directive.
The Directive
The Directive provided various exceptions to the prohibition of treatment resulting from the absence of an adequate level of protection.
One of them is laid down in Article 26 (2) and applies when the controller offers sufficient safeguards with respect to the protection of the privacy and fundamental rights of individuals, as well as with respect to the exercise of the corresponding rights and freedoms. This derogation implies that the controller shall have taken special measures to meet the shortfall in the level of protection of the country of destination of the personal data.
According to Article 26 (2) of the Directive, these appropriate safeguards may result from appropriate contractual clauses. Standard contractual terms have therefore been developed to regulate the transfers of data outside the EU by formalizing the protection rules contained in the Directive. Models were then adopted by the European Commission in accordance with Article 26 (4) of the Directive. In practice, this provision gave the Commission the power to find, by way of decision, that some standard contractual clauses offered sufficient safeguards, which then required the Member States to authorise the transfers based on these standard contractual clauses. The Commission decision should be adopted in accordance with the procedure laid down in Article 31, paragraph 2, providing for referral to the Committee under article 31 (see decisions 2001/497/EC 2002/16/EC; 2004/915/EC; 2010/87/EU).
An alternative to the standard contractual clauses has emerged since 2003: the internal corporate rules (called Binding Corporate Rules). Though initially sceptical, it was the Article 29 Working Party who developed this system in its working paper WP 74 of 3 June 2003 (working paper WP 74: Transfers of personal data to third countries pursuant to article 26 (2) of the Directive). It is a global and unique alternative that allows regulating all transfers of data within a group of undertakings, without systematically verifying the legal basis for the transfer (see the comments on Article 43 on the Binding Corporate Rules).
Potential issues
The new system is certainly clearer than the previous: safeguards need to be provided in the absence of a decision on adequacy by the Commission. The choice of safeguards is expanded and the national supervisory authorities will be able to intervene in a formalized procedure if the conventional safeguards cannot be implemented for reasons specific to the controller or the processor.
Of course, a specific difficulty would arise if the controller or the processor had considered, in the absence of official position of the Commission, that the recipient was located on a territory offering an adequate level of protection. They must then take one of the measures proposed to be in compliance with the Regulation.
Summary
European Union
-
European data protection board (EDPB)
- Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)
- Recommendations on the European Essential Guarantees for surveillance measures - 2/2020 (10 November 2020)
- Guidelines on articles 46.2.a and 46.3.b of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies - 2/2020 (15 décembre 2020)
- Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0 - 1/2020 (18 June 2021)
- Statement on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework - 1/2022 (6 April 2022)
- The New standard contractual clauses - Questions ans answers
- Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (4 June 2021)
European Union
European data protection board (EDPB)
Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)
This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).
Recommendations on the European Essential Guarantees for surveillance measures - 2/2020 (10 November 2020)
1. Following the Schrems I judgment, EU Data Protection Authorities assembled in the Working Party 29 drew upon the jurisprudence to identify the European Essential Guarantees, which need to be respected to make sure interferences with the rights to privacy and the protection of personal data, through surveillance measures, when transferring personal data, do not go beyond what is necessary and proportionate in a democratic society.
2. The EDPB would like to stressthat the European Essential Guarantees are based on the jurisprudence of the Court of Justice of the European Union (hereinafter: CJEU) related to Articles 7, 8, 47 and 52 of the Charter of Fundamental Rights of the EU (hereinafter: the Charter) and, as the case may be, on the jurisprudence of the European Court of Human Rights (hereinafter: ECtHR) related to Article 8 of the European Convention on Human Rights (hereinafter: ECHR) dealing with surveillance issues in States party to the ECHR.
3. The update of this paper is meant to further develop the European Essential Guarantees, originally drafted in response to the Schrems I judgment4 by reflecting the clarifications provided by the CJEU (and by the ECtHR) since it was first published, in particular in its landmark Schrems II judgment.
4. In its Schrems II judgment, the CJEU stated that the examination of the Commission Decision 2010/87/EU on standard contractual clauses for the transfer of personal data to processors established in third countries, in the light of Articles 7, 8 and 47 of the Charter, has disclosed nothing to affect the validity of that decision, but invalidated the Privacy Shield Decision. The CJEU held that the Privacy Shield Decision was incompatible with Article 45 (1) GDPR, in the light of Articles 7, 8, and 47 of the Charter. The judgment can thus serve as an example where surveillance measures in a third country (in this case the U.S. with Section 702 FISA and Executive Order 12 333) are neither sufficiently limited nor object of an effective redress available to data subjects to enforce their rights, as required under EU law in order to consider the level of protection in a third country to be “essentially equivalent” to that guaranteed within the European Union within the meaning of Article 45 (1) of the GDPR.
5. The reasons for the invalidation of the Privacy Shield also have consequences on other transfer tools. Even though the Court interpreted Article 46(1) GDPR in the context of the validity of the Standard Contractual Clauses (hereinafter: SCCs), its interpretation applies to any transfer to third countries relying on any of the tools referred to in Article 46 GDPR.
6. It is ultimately for the CJEU to judge whether interferences with a fundamental right can be justified. However, in absence of such a judgment and in application of the standing jurisprudence, data protection authorities are required to assess individual cases, either ex officio or following a complaint, and to either refer the case to a national Court if they suspect that the transfer does not comply with Article 45 where there is an adequacy decision, or to suspend or prohibit the transfer if they find Article 46 GDPR cannot be complied with and the protection of the data transferred required by EU law cannot be ensured by other means.
7. The aim of the updated European Essential Guarantees is to provide elements to examine, whether surveillance measures allowing access to personal data by public authorities in a third country, being national security agencies or law enforcement authorities, can be regarded as a justifiable interference or not.
8. Indeed, the European Essential Guarantees form part of the assessment to conduct in order to determine whether a third country provides a level of protection essentially equivalent to that guaranteed within the EU but do not aim on their own at defining all the elements which are necessary to consider that a third country provides such a level of protection in accordance with Article 45 of the GDPR. Likewise, they do not aim on their own at defining all the elements that might be necessary to consider when assessing whether the legal regime of a third country prevents the data exporter and data importer from ensuring appropriate safeguards in accordance with Article 46 of the GDPR.
9. Therefore, the elements provided in this paper should be seen as the essential guarantees to be found in the third country when assessing the interference, entailed by a third country surveillance measures, with the rights to privacy and to data protection, rather than a list of elements to demonstrate that the legal regime of a third country as a whole is providing an essentially equivalent level of protection.
10. Article 6(3) of the Treaty on European Union establishes that the fundamental rights enshrined in the ECHR constitute general principles of EU law. However, as the CJEU recalls in its jurisprudence, the latter does not constitute, as long as the European Union has not acceded to it, a legal instrument which has been formally incorporated into EU law. Thus, the level of protection of fundamental rights required by Article 46(1) of the GDPR must be determined on the basis of the provisions of that regulation, read in the light of the fundamental rights enshrined in the Charter. This being said, according to Article 52(3) of the Charter the rights contained therein which correspond to rights guaranteed by the ECHR are to have the same meaning and scope as those laid down by that Convention, and consequently, as recalled by the CJEU, the jurisprudence of the ECtHR concerning rights which are also foreseen in the Charter of Fundamental Rights of the EU must be taken into account, as a minimum threshold of protection to interpret corresponding rights in the Charter.9 According to the last sentence of Article 52(3) of the Charter, however, “[t]his provision shall not prevent Union law providing more extensive protection.”
11. Therefore, the substance of the Essential Guarantees will continue to be partly based on the jurisprudence of the ECtHR, to the extent that the Charter as interpreted by the CJEU does not provide for a higher level of protection which prescribes other requirements than the ECtHR case law.
12. This paper explains the background and further details the four European Essential Guarantees.
Guidelines on articles 46.2.a and 46.3.b of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies - 2/2020 (15 décembre 2020)
This document seeks to provide guidance as to the application of Articles 46 (2) (a) and 46 (3) (b) of the General Data Protection Regulation (GDPR) on transfers of personal data from EEA public authorities or bodies (hereafter “public bodies”) to public bodies in third countries or to international organisations, to the extent that these are not covered by an adequacy finding adopted by the European Commission . Public bodies may choose to use these mechanisms, which the GDPR considers more appropriate to their situation, but are also free to rely on other relevant tools providing for appropriate safeguards in accordance with Article 46 GDPR.
The guidelines are intended to give an indication as to the expectations of the European Data Protection Board (EDPB) on the safeguards required to be put in place by a legally binding and enforceable instrument between public bodies pursuant to Article 46 (2) (a) GDPR or, subject to authorisation from the competent supervisory authority (SA), by provisions to be inserted into administrative arrangements between public bodies pursuant to Article 46 (3) (b) GDPR. The EDPB strongly recommends parties to use the guidelines as a reference at an early stage when envisaging concluding or amending such instruments or arrangements.
The guidelines are to be read in conjunction with other previous work done by the EDPB (including endorsed documents by its predecessor, the Article 29 Working Party (“WP29”)) on the central questions of territorial scope and transfers of personal data to third countries . The guidelines will be reviewed and if necessary updated, based on the practical experience gained from the application of the GDPR.
The present guidelines cover international data transfers between public bodies occurring for various administrative cooperation purposes falling within the scope of the GDPR. As a consequence and in accordance with Article 2 (2) of the GDPR, they do not cover transfers in the area of public security, defence or state security. In addition, they do not deal with data processing and transfers by competent authorities for criminal law enforcement purposes, since this is governed by a separate specific instrument, the law enforcement Directive . Finally, the guidelines only focus on transfers between public bodies and do not cover transfers of personal data from a public body to a private entity or from a private entity to a public body.
Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, version 2.0 - 1/2020 (18 June 2021)
The EU General Data Protection Regulation (GDPR) was adopted to serve a dual-purpose: facilitating the free flow of personal data within the European Union, while preserving the fundamental rights and freedoms of individuals, in particular their right to the protection of personal data.
In its recent judgment C-311/18 (Schrems II) the Court of Justice of the European Union (CJEU) reminds us that the protection granted to personal data in the European Economic Area (EEA) must travel with the data wherever it goes. Transferring personal data to third countries cannot be a means to undermine or water down the protection it is afforded in the EEA. The Court also asserts this by clarifying that the level of protection in third countries does not need to be identical to that guaranteed within the EEA but essentially equivalent. The Court also upholds the validity of standard contractual clauses, as a transfer tool that may serve to ensure contractually an essentially equivalent level of protection for data transferred to third countries.
Standard contractual clauses and other transfer tools mentioned under Article 46 GDPR do not operate in a vacuum. The Court states that controllers or processors, acting as exporters, are responsible for verifying, on a case-by-case basis and, where appropriate, in collaboration with the importer in the third country, if the law or practice of the third country impinges on the effectiveness of the appropriate safeguards contained in the Article 46 GDPR transfer tools. In those cases, the Court still leaves open the possibility for exporters to implement supplementary measures that fill these gaps in the protection and bring it up to the level required by EU law. The Court does not specify which measures these could be. However, the Court underlines that exporters will need to identify them on a case-by-case basis. This is in line with the principle of accountability of Article 5.2 GDPR, which requires controllers to be responsible for, and be able to demonstrate compliance with the GDPR principles relating to processing of personal data.
To help exporters (be they controllers or processors, private entities or public bodies, processing personal data within the scope of application of the GDPR) with the complex task of assessing third countries and identifying appropriate supplementary measures where needed, the European Data Protection Board (EDPB) has adopted these recommendations. These recommendations provide exporters with a series of steps to follow, potential sources of information, and some examples of supplementary measures that could be put in place.
As a first step, the EDPB advises you, exporters, to know your transfers. Mapping all transfers of personal data to third countries can be a difficult exercise. Being aware of where the personal data goes is however necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed. You must also verify that the data you transfer is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
A second step is to verify the transfer tool your transfer relies on, amongst those listed under Chapter V GDPR. If the European Commission has already declared the country, region or sector to which you are transferring the data as adequate, through one of its adequacy decisions under Article 45 GDPR or under the previous Directive 95/46 as long as the decision is still in force, you will not need to take any further steps, other than monitoring that the adequacy decision remains valid. In the absence of an adequacy decision, you need to rely on one of the transfer tools listed under Articles 46 GDPR. Only in some cases you may be able to rely on one of the derogations provided for in Article 49 GDPR if you meet the conditions. Derogations cannot become “the rule” in practice, but need to be restricted to specific situations.
A third step is to assess if there is anything in the law and/or practices in force of the third country that may impinge on the effectiveness of the appropriate safeguards of the transfer tools you are relying on, in the context of your specific transfer. Your assessment should be focused first and foremost on third country legislation that is relevant to your transfer and the Article 46 GDPR transfer tool you are relying on. Examining also the practices of the third country’s public authorities will allow you to verify if the safeguards contained in the transfer tool can ensure, in practice, the effective protection of the personal data transferred. Examining these practices will be especially relevant for your assessment where:
(i) legislation in the third country formally meeting EU standards is manifestly not applied/complied with in practice;
(ii) there are practices incompatible with the commitments of the transfer tool where relevant legislation in the third country is lacking;
(iii) your transferred data and/or importer fall or might fall within the scope of problematic legislation (i.e. impinging on the transfer tool’s contractual guarantee of an essentially equivalent level of protection and not meeting EU standards on fundamental rights, necessity and proportionality).
In the first two situations, you will have to suspend the transfer or implement adequate supplementary measures if you wish to proceed with it.
In the third situation, in light of uncertainties surrounding the potential application of problematic legislation to your transfer, you may decide to: suspend the transfer; implement supplementary measures to proceed with it; or alternatively, you may decide to proceed with the transfer without implementing supplementary measures if you consider and are able to demonstrate and document that you have no reason to believe that relevant and problematic legislation will be interpreted and/or applied in practice so as to cover your transferred data and importer. For evaluating the elements to be taken into account when assessing the law of a third country dealing with access to data by public authorities for the purpose of surveillance, please refer to the EDPB European Essential Guarantees recommendations. You should conduct this assessment with due diligence and document it thoroughly. Your competent supervisory and/or judicial authorities may request it and hold you accountable for any decision you take on that basis.
A fourth step is to identify and adopt supplementary measures that are necessary to bring the level of protection of the data transferred up to the EU standard of essential equivalence. This step is only necessary if your assessment reveals that the third country legislation and/or practices impinge on the effectiveness of the Article 46 GDPR transfer tool you are relying on or you intend to rely on in the context of your transfer. These recommendations contain (in Annex 2) a non-exhaustive list of examples of supplementary measures with some of the conditions they would require to be effective. As is the case for the appropriate safeguards contained in the Article 46 transfer tools, some supplementary measures may be effective in some countries, but not necessarily in others. You will be responsible for assessing their effectiveness in the context of the transfer, and in light of the third country law and practices and the transfer tool you are relying on, as you will be held accountable for any decision you take on that basis. This might also require you to combine several supplementary measures. You may ultimately find that no supplementary measure can ensure an essentially equivalent level of protection for your specific transfer. In those cases where no supplementary measure is suitable, you must avoid, suspend or terminate the transfer to avoid compromising the level of protection of the personal data. You should also conduct this assessment of supplementary measures with due diligence and document it.
A fifth step is to take any formal procedural steps the adoption of your supplementary measure may require, depending on the Article 46 GDPR transfer tool you are relying on. These recommendations specify some of these formalities. You may need to consult your competent supervisory authorities on some of them.
The sixth and final step is to re-evaluate at appropriate intervals the level of protection afforded to the personal data you transfer to third countries and to monitor if there have been or there will be any developments that may affect it. The principle of accountability requires continuous vigilance of the level of protection of personal data.
Supervisory authorities will continue exercising their mandate to monitor the application of the GDPR and enforce it. Supervisory authorities will pay due consideration to the actions exporters take to ensure that the data they transfer is afforded an essentially equivalent level of protection. As the Court recalls, supervisory authorities will suspend or prohibit data transfers in those cases where they find that an essentially equivalent level of protection cannot be ensured, following an investigation or a complaint. Supervisory authorities will continue developing guidance for exporters and coordinating their actions in the EDPB to ensure consistency in the application of EU data protection law.
Statement on the announcement of an agreement in principle on a new Trans-Atlantic Data Privacy Framework - 1/2022 (6 April 2022)
The EDPB welcomes the announcement of a political agreement in principle between the European Commission and the United States on 25 March on a new Trans-Atlantic Data Privacy Framework. This announcement is made at a time where transfers from the European Economic Area to the U.S. face significant challenges. The commitment of the U.S. highest authorities to establish ‘unprecedented’ measures to protect the privacy and personal data of individuals in the European Economic Area (EEA individuals) when their data are transferred to the U.S. is a positive first step in the right direction. The EDPB will examine how this political agreement translates into concrete legal proposals to address the concerns raised by the Court of Justice of the European Union (CJEU) in order to provide legal certainty to EEA individuals and exporters of data. At this stage, this announcement does not constitute a legal framework on which data exporters can base their data transfers to the United States. Data exporters must therefore continue taking the actions required to comply with the case law of the CJEU, and in particular its Schrems II decision of 16 July 2020. The GDPR requires that the Commission seeks an opinion of the EDPB before adopting a possible new adequacy decision recognising as satisfactory the level of data protection guaranteed by the U.S. authorities. The EDPB looks forward to assessing carefully the improvements that a new Trans-Atlantic Data Privacy Framework may bring in the light of EU law, the case-law of the CJEU and the recommendations the EDPB made on that basis. The EDPB will prepare its opinion when it receives from the European Commission all supporting documents. In particular, the EDPB will analyse in detail how these reforms ensure that the collection of personal data for national security purposes is limited to what is strictly necessary and proportionate. The EDPB will also examine to what extent the announced independent redress mechanism respects the EEA individuals’ right to an effective remedy and to a fair trial. In particular, the EDPB will look at whether any new authority part of this mechanism has access to relevant information, including personal data, when exercising its mission and can adopt decisions binding on the intelligence services. The EDPB will also consider whether there is a judicial remedy against this authority’s decisions or inaction. The EDPB remains committed to playing a constructive part in securing a transatlantic transfer of personal data that benefits EEA individuals and organisations. The EDPB stands ready to provide the European Commission with support to help it build, together with the U.S., a new framework that fully complies with EU data protection law.
The New standard contractual clauses - Questions ans answers
On 4 June 2021, the European Commission adopted two sets of standard contractual clauses, one for the use between controllers and processors within the European Economic Area1 (EEA) and one for the transfer of personal data to countries outside of the EEA. The purpose of these Q&As is to provide practical guidance on the use of the SCCs to assist stakeholders with their compliance efforts. The information in this document does not constitute legal advice. Instead, it is provided for general informational purposes only. The monitoring and enforcement of compliance with EU data protection law by controllers and processors falls within the competence of the national supervisory authorities and courts. The list and contact details of national data protection authorities in the EEA is available here: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
These Q&As are based on feedback received from various stakeholders on their experience with using the new SCCs in the first months after their adoption. This page is intended to be a ‘dynamic’ source of information and its content will be updated as new questions arise.
Guidelines 07/2022 on certification as a tool for transfers (14 February 2023)
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR).
These guidelines provide guidance as to the application of Article 46 (2) (f) of the GDPR on transfers of personal data to third countries or to international organisations on the basis of certification. The document is structured in four sections with an Annex.
Part one of this document ("GENERAL") clarifies that the guidelines supplement the already existing general Guidelines 1/2018 on certification and addresses specific requirements from Chapter V of the GDPR when certification is used as a transfer tool. According to Article 44 of the GDPR, any transfer of personal data to third countries or international organisations, must meet the conditions of the other provisions of the GDPR in addition to complying with Chapter V of the GDPR. Therefore, as a first step, compliance with the general provisions of the GDPR must be ensured and, as a second step, the provisions of Chapter V of the GDPR must be complied with. The actors who are involved and their core roles in this context are described, with a special focus on the role of the data importer who will be granted a certification and of the data exporter who will use it as a tool to frame its transfers (considering that the responsibility for data processing compliance remains with the data exporter). In this context the certification can also include measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data. Part one of the guidelines also contains information on the process for obtaining a certification to be used as tool for transfers.
The second part of these guidelines (“IMPLEMENTING GUIDANCE ON THE ACCREDITATION REQUIREMENTS”) recalls that the requirements for accreditation of a certification body are to be found in ISO 17065 and by interpreting the Guidelines 4/2018 on the accreditation of certification bodies under Article 43 of the GDPR and its Annex against the background of Chapter V. However, in the context of a transfer, these guidelines further explain some of the accreditation requirements applicable to the certification body.
The third part of these guidelines ("SPECIFIC CERTIFICATION CRITERIA") provides for guidance on the certification criteria already listed in Guidelines 1/2018 and establishes additional specific criteria that should be included in a certification mechanism to be used as a tool for transfers to third countries. These criteria cover the assessment of the third country legislation, the general obligations of exporters and importers, rules on onward transfers, redress and enforcement, process and actions for situations in which national legislation and practices prevents compliance with commitments taken as part of certification and requests for data access by third country authorities.
Part four of these guidelines (“BINDING AND ENFORCEABLE COMMITMENTS TO BE IMPLEMENTED“) provides elements that should be addressed in the binding and enforceable commitments that controllers or processors not subject to the GDPR should take for the purpose of providing appropriate safeguards to data transferred to third countries. These commitments, which may be set out in different instruments including contracts, shall in particular include a warranty that the importer has no reason to believe that the laws and practices in the third country applicable to the processing at stake, including any requirements to disclose personal data or measures authorising access by public authorities, prevent it from fulfilling its commitments under the certification.
The ANNEX of these guidelines contains some examples of supplementary measures in line with those listed in Annex II Recommendations 01/2020 (Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data) in the context of the use of a certification as a tool for transfers. Examples are constructed with a view to raise attention to critical situations.
The European Commission
Decision (EU) 2021/914 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, (4 June 2021)
The models of standard contractual clauses are still relevant and were updated by the European Commission on June 4, 2021.
Summary
European Union
European Union
CJEU caselaw
C-101/01 (23 February 2001) - Criminal proceedings against Bodil Lindqvist
1. The act of referring, on an internet page, to various persons and identifying them by name or by other means, for instance by giving their telephone number or information regarding their working conditions and hobbies, constitutes the processing of personal data wholly or partly by automatic means within the meaning of Article 3(1) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
2. Such processing of personal data is not covered by any of the exceptions in Article 3(2) of Directive 95/46.
3. Reference to the fact that an individual has injured her foot and is on half-time on medical grounds constitutes personal data concerning health within the meaning of Article 8(1) of Directive 95/46.
4. There is no transfer [of data] to a third country within the meaning of Article 25 of Directive 95/46 where an individual in a Member State loads personal data onto an internet page which is stored on an internet site on which the page can be consulted and which is hosted by a natural or legal person who is established in that State or in another Member State, thereby making those data accessible to anyone who connects to the internet, including people in a third country.
5. The provisions of Directive 95/46 do not, in themselves, bring about a restriction which conflicts with the general principles of freedom of ex
6. Measures taken by the Member States to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a Member State from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof provided that no other provision of Community law precludes it.
C-311/18 (16 July 2020) - Facebook Ireland et Schrems
1. Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
2. Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
3. Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
4. Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.
5. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Retour au sommaire Retour au sommaire
Art. 46 1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available. 2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by: a) a legally binding and enforceable instrument between public authorities or bodies; b) binding corporate rules in accordance with Article 47; c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2); d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2); e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights. 3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights. 4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article. 5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article. |
1st proposal
close
Art. 42 1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument. 2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by: (a) binding corporate rules in accordance with Article 43; or (b) standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or (c) standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or (d) contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4. 3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation. 4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. 5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority. |
2nd proposal
close
Art. 42 1. In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to (...) a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, also covering onward transfers (...). 2. The appropriate safeguards referred to in paragraph 1 may be provided for (...), without requiring any specific authorisation from a supervisory authority, by: (oa) a legally binding and enforceable instrument between public authorities or bodies; or (a) binding corporate rules referred to in Article 43; or (b) standard data protection clauses adopted by the Commission (...) in accordance with the examination procedure referred to in Article 87(2); or (c) standard data protection clauses adopted by a superv isory authority (....) and adopted by the Commission pursuant to the examination procedure referred to in Article 87(2). (d) an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or (e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights. 2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by: (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data (...) in the third country or international organisation; or (b) (...) (c) (...) (d) provisions to be inserted into administrative arrangements between public authorities or bodies (...). 3. (...) 4. (...) 5. (...) 5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2). 5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2. |
Directive close
Art. 26 2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses. 3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2. If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2). Member States shall take the necessary measures to comply with the Commission's decision. 4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision. |
Denmark
27. – (1) Transfer of data to a third country may take place only if the third country in question ensures an adequate level of protection, cf. however subsection (3). (2) The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation, in particular the nature of the data, the purpose and duration of the processing operation, the country of origin and country of final destination, the rules of law in force in the third country in question and the professional rules and security measures which are complied with in that country. (3) In addition to the cases mentioned in subsection (1), transfer of data to a third country may take place if:
(4) Outside the scope of the transfers referred to in subsection (3), the Data Protection Agency may authorize a transfer of personal data to a third country which does not fulfil the provisions laid down in subsection (1), where the controller adduces adequate safeguards with respect to the protection of the rights of the data subject. Specific conditions may be laid down for the transfer. The Data Protection Agency shall inform the European Commission and the other Member States of the authorizations granted pursuant to this provision. (5) The transfer of personal data to third countries may be carried out without authorization under the first clause of subsection (4), on the basis of contracts in accordance with the standard contractual clauses approved by the European Commission. (6) The rules laid down in this Act shall otherwise apply to transfers of personal data to third countries in accordance with subsections (1) and (3) to (5). |