Author: Peter Schantz
- In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
- The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
(a) a legally binding and enforceable instrument between public authorities or bodies;
(b) binding corporate rules in accordance with Article 47;
(c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
(d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
(e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
(f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
(b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
- The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
- Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
I. Purpose
As adequacy decisions are still rare and recourse to Art. 49 remains an exception, Art. 46 provides for an alternative by establishing a specific data protection regime for the recipient that is applicable to data transferred from the EU. By that, the deficiencies of the data protection level in the third country can be compensated in many ways. However, this approach has its limits, as it cannot compensate deficiencies based on the legal system of the third country to which the recipient is subject.
II. Legislative history
Art. 46 is preceded by Art. 26 para. 2 DPD, which had already provided for appropriate guarantees as grounds for the transfer of data to a third country which does not have an adequate level of data protection. By way of example, Art. 26 para. 2 DPD only mentioned standard data protection clauses. Art. 46 now recognizes a large number of other suitable guarantees.
The proposal of the Commission already allowed standard data protection clauses to be adopted by a SA, under the condition of approval granted by the Commission (paragraph 2 (d)). Following a proposal of the Council, additional guarantees were added: legally binding and enforceable instruments between public authorities or bodies, approved codes of conduct and administrative arrangements between public authorities or bodies and, also on a proposal from the EP, certification (para. 2 lit. a, e and f and para. 3 lit. b). The EP’s proposal for a sunset clause limiting approvals to two years was not adopted.
III. Relation to adequacy decisions
The wording of para. 1 is misleading, as it seems to permit the use of appropriate guarantees only if no adequacy decision exists. As shown by Art. 45 para. 7, appropriate guarantees are an independent ground for transfers to third countries, in addition to adequacy decisions under Art. 45. Excluding additional safeguards where an adequacy decision exists would be contrary to the underlying rationale of Chapter V (cf. Art. 44 sentence 2).[1] Furthermore, there is a need for appropriate safeguards, such as BCRs, as they allow for the establishment of a uniform data protection regime within a group of undertakings whose members are located in different third countries.
IV. General requirements (para. 1)
1.Appropriate safeguards
The purpose of appropriate safeguards is to establish, by contract or by unilateral obligation, an adequate level of data protection in the third country (recital 108). Although recital 108 only mentions the data subjects’ rights, the general principles relating to the processing of personal data and the principles of data protection by design and by default, this list is by no means exhaustive. Appropriate safeguards must reflect the material content of the GDPR with regard to the nature of the transferred data and the planned processing.[2] Accordingly, appropriate safeguards should be tailored to the specific context and should be as detailed as possible, similar to the requirements regarding BCRs pursuant to Art. 47 para. 2. In light of Art. 44 sentence 1 half-sentence 2, appropriate safeguards must provide that onward transfers by the recipient are only allowed under the conditions set out in Chapter V.
[…]
[1]Also Zerdick in Ehmann/Selmayr, Art. 46 para. 5.
[2]Case C-311/18, 16.07.2020, Schrems II, ECLI:EU:C:2020:559, para. 95–96; Art. 29 WP 12, Transfers of personal data to third countries: Applying Articles 25 and 26 of the EU data protection directive, adopted on 24 July 1998, 18.