Transfers not on the basis of an adequacy decision

In the absence of an adequacy decision pursuant, a controller or processor may transfer personal data to a third country or an international organisation only if:

1. The controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available (these are cumulative conditions). Then the controller or processor can choose from below mentioned options:

1. without requiring any specific authorisation from a supervisory authority

1. a legally binding and enforceable instrument between public authorities or bodies;
2. binding corporate rules;
3. standard data protection clauses adopted by the Commission;

• Commission decision (EU) 2021/914 can be used for transfer of personal data between:
  • controller in EU – controller in third country
  • controller in EU – processor in third country
  • processor in EU – processor in third country
  • processor in EU – controller in third country

On 25 May 2022, the European Commission issued a document “Questions and answers for standard contractual clauses” under Commission decision (EU) 2021/914. The document is available at this link The New Standard Contractual Clauses – Questions And Answers.

4. standard data protection clauses adopted by a supervisory authority and approved by the Commission;

5. an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

6. an approved certification mechanism together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

2. subject to the authorisation from the competent supervisory authority

1. contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
2. provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

In so far as those tools cannot,, having regard to their very nature, provide guarantees to ensure compliance with the level of protection required under EU law, may be required, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller or processer in order to ensure compliance with that level of protection. You can find out more about the supplementary measures in Recommendations on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and Supplementary Measures Roadmap.

 2. Derogations for specific situations

In the absence of an adequacy decision, or of appropriate safeguards, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

1. the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
2. the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
3. the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
4. the transfer is necessary for important reasons of public interest;
5. the transfer is necessary for the establishment, exercise or defence of legal claims;
6. the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
7. the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

 3. Compelling legitimate interests

Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred in point 3 is applicable, a transfer to a third country or an international organisation may take place only if

• the transfer is not repetitive,
• concerns only a limited number of data subjects,
• is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject,
• and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information, inform the data subject of the transfer and on the compelling legitimate interests pursued.