Every day, countless companies transfer personal data to third countries outside the European Union (EU) or the European Economic Area (EEA). In order for a third country transfer to take place, safeguards on the level of data protection in the third countries must be maintained. This is laid down in Articles 45 to 47 of the EU General Data Protection Regulation (GDPR). Possible exceptions to these safeguards are regulated in Art. 49 GDPR. In the following, we provide you with a summary of the circumstances in which data transfers to third countries can take place without safeguards.
The need for safeguards for transfers to third countries
From an economic point of view, data transfers to non-European countries are indispensable. The European legislature took this in account when enacting the GDPR. Therefore, Chapter V of the GDPR holds provisions under which personal data may leave the EU or EEA. These regulations are intended to guarantee data subjects that the protection of their data is not undermined by transfers to third countries. Another aim of these regulations is to prevent a so-called safe haven for processing outside of the EU or EEA, which could discriminate against European companies. The requirement for safeguards on the level of data protection in third countries should therefore allow for a balancing of the necessity of the data transfer for the economy and the protection of the fundamental rights of the data subjects.
Exceptions of Art. 49 GDPR
The European legislature has created an exception for the need for appropriate safeguards when transferring data to third countries under Art. 49 GDPR. According to this article, data may be transferred to third countries without the existence of suitable safeguards. Art. 49 GDPR lists these exceptions in Paragraph 1:
- Transmission with the explicit consent of the data subject Art. 49 (1)(a);
- Necessity of the transfer for the performance of a contract between the data subject and the controller or for the implementation of pre-contractual measures taken at the data subject’s request Art. 49 (1)(b);
- Necessity of the transfer for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person Art. 49 (1)(c) (This mainly concerns contracts for the benefit of third parties, such as, for example, orders for gifts from suppliers in third countries or contracts between a local travel company and service providers in the third country);
- Necessity of the transfer for important reasons of public interest Art. 49 (1)(d);
- Necessity of the transmission for the establishment, exercise or defence of legal claims Art. 49 (1)(e);
- Necessary to protect the vital interests of the data subject or of other persons where the data subject is physically or legally incapable of giving consent Art. 49 (1)(f);
- Transmission from a public register Art. 49 (1)(g).
In Paragraph 2, Art. 49 GDPR provides for an additional exception: If there is no safeguard for a transfer to a third country and no exception under Paragraph 1 applies, personal data may be transferred to a third country if this is necessary to safeguard the legitimate interests of the controller and if certain prerequisites are observed.
At first glance, Art. 49 GDPR appears to cover a very large number of cases. However, this appearance is deceptive. The wording as well as Recital 111 of the GDPR severely restrict the exceptional cases, as the European Data Protection Board (EDPB) has pointed out in its Guideline2/2018 on derogations of Article 49 of Regulation 2016/679.
Explicit consent
In the case of the exception under Art. 49 (1)(a) GDPR, explicit consent is required. This must be given voluntarily, be informed and for the specific case. In other words, a data subject must be adequately informed about the transfer of their data to a third country. The legal situation and potential rights of the data subject must also be taken into account. In particular, it must be emphasised that the third country does not provide adequate protection of personal data and that there are no appropriate safeguards. In the case of a transfer to the U.S., for example, it must be expressly pointed out that U.S. authorities have extensive access to the data and that there are no legal remedies to counter this access. General consent cannot be obtained here – only consent for the case at hand. Consent by data subjects to the permanent transfer of data to a third country for one or more purposes cannot be justified on the basis of Art. 49 (1)(a) GDPR.
Required and occasional transmission
For the exceptions under Art. 49(1)(b), (c) and (e) GDPR, Recital 111 GDPR states that the transfer must be necessary and may only be occasional. It must be assessed whether the transfer of personal data can be considered necessary for the specific purpose of the derogation. A close link between the transfer and the purpose is therefore necessary.
In this context, it means that occasionally the transmission may take place more than once but by no means regularly. Furthermore, only transfers of data that take place outside the normal course of business should be covered by these exceptions. Transfers that are regular or continuous between the data exporter and importer cannot be considered occasional. A data transfer can also no longer be regarded as occasional if the data importer has continuous general and direct access to the data, e.g. via an interface to an IT application. The kind of transfer that qualifies as occasional therefore depends strongly on the individual case and must be checked and sufficiently documented.
Safeguarding the public interest
In the case of the exception under Art. 49 (1)(d) GDPR, data may be transferred to third countries for important reasons of public interest. However, data may only be transferred if there is an existing applicable law in the Member State to which the controller is subject or EU law states that the requested data transfer is permissible for the purpose of safeguarding important public interests. Otherwise, a data transfer cannot be based on this exception.
Protection of vital interests
According to Art. 49 (1)(f) GDPR, personal data can always be transmitted if a medical emergency exists as a result of which the data is required for diagnosis and treatment, but the data subject cannot give his or her consent. In such cases it is assumed that the risk to health outweighs the data protection concerns.
Public register
Personal data may also be transferred from public registers in accordance with Art. 49 (1)(g) GDPR. In this case, the relevant register must serve to inform the public; a private register does not suffice. In addition, the general public or any person who can demonstrate a legitimate interest must be able to view information in the register. For example, registers of associations, companies or criminal records are covered by this exception. It should be noted that an entire category of personal data may not be transmitted; only individual, necessary information can be taken from the registers.
Compelling legitimate interests
If none of the above-mentioned exceptions apply, data may still be transferred to non-European countries on the basis of compelling legitimate interests in accordance with Art. 49 (2) GDPR. However, this exception should be regarded as a last resort for data transfer, as is also shown in Recital 113 of the GDPR. If data is transferred on the basis of compelling legitimate interests, the controller must be able to prove that no suitable safeguards were available and that the exceptions under Art. 49 (1) GDPR were not applicable.
There must be compelling legitimate interests, i.e. the interest in the data transfer must be essential. This can be assumed, for example, if the controller has to transfer personal data to protect his or her systems against serious penalties. In this case, however, the compelling interest of the controller must always be weighed against the rights and freedoms of the data subjects. Only if the interests of the controller outweigh the rights of the data subjects may the data be transferred.
It should also be noted that the transmission must not be performed repeatedly and must involve a limited number of data subjects. Furthermore, additional measures must guarantee a minimum risk for data subjects. One such additional measure, for example, could be the requirement for immediate deletion after fulfilment of the purpose. Finally, Art. 49 (2) GDPR provides that the relevant competent supervisory authority must be notified, which is intended to serve as an additional guarantee, and that the data subjects must be informed in accordance with Art. 13 and 14 GDPR.
Conclusion: Transfers to third countries under Art. 49 GDPR remain an exception
All in all, one can say that Art. 49 GDPR is exactly what its title suggests: an exception. The provision is not intended to simply allow data to be transferred to third countries, as only by complying with the safeguards or restricted use of the exceptions can data subjects, as well as European companies, be adequately protected.
It is recommended to check carefully whether an exceptional case according to Art. 49 GDPR exists and to document such checks carefully. This is the only way to comply with the GDPR obligation to provide evidence and to ensure that data transfer conforms with the GDPR.