The EU General Data Protection Regulation came into force more than a year ago. Most organizations transferring data out of the European Union to third countries and other international organizations should have already employed the appropriate safeguards mandated by the GDPR. These safeguards include binding corporate rules, standard contractual clauses and so on. That being said, have organizations explored the use of derogations mentioned in Article 49 of the GDPR?
Article 49 contains seven derogations, and, of these, Article 49(1)(b) is the most convenient one to use due to its straightforward application and lack of technology requirements. This provision states that “the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.”
Can organizations depend on this derogation instead of relying on the aforementioned safeguards, and, if so, in which cases? Let’s look at two scenarios. First, an organization transfers employees’ personal data from an establishment in one country (within the EU) to its headquarters located in a non-adequate country to process employees’ salaries. In the second scenario, a data subject wishes to transfer money from their account with a bank located in the EU to a bank in a non-EU country where they work and live, and the latter country is not deemed adequate by the European Commission.
In the first scenario, it would be difficult to argue the application of the Article 49(1)(b) derogation. Paying a salary to an employee is generally a vital element of employment contracts, and processing a salary is necessary for the performance of a contract. However, transferring personal data to a non-adequate country to process the salary is not necessary. In such cases, the organization has a spectrum of options available under the GDPR to process salaries — for instance, hire a processor in the EU or use SCCs with a non-EU processor, process salaries in one of its branches in the EU or other adequate country, rely on approved BCRs, and so on. Importantly, if an organization wishes to pursue its business interest, such interest should not outweigh the rights and freedoms of individuals guaranteed by the GDPR and other applicable rules and regulations.
The bank from the second scenario could potentially rely on Article 49(1)(b) if all the conditions under it are met. The first question the bank needs to address is if “the transfer is necessary to perform a contract with an individual”? The answer could be in the affirmative. If an individual wishes to transfer money to the account of the bank in the respective non-adequate country, the bank could rely on the derogation since the transfer is necessary to perform a contract with the individual.
The above notwithstanding, there is a catch here: Recital 111 of the GDPR introduces additional criterion — “occasional.” Therefore, the transfer must be “occasional,” as well as “necessary,” if an organization wishes to rely on this derogation.
Referring back to our second scenario, if the bank located in the EU has occasional and irregular transfers to the bank in a non-adequate country, it could potentially rely on the Article 49(1)(b) derogation. But what if the bank has many clients working in the non-adequate country? Could the bank still rely on the derogation?
Let’s see what the European Data Protection Board and the Court of Justice of the European Union have to say about this.
In its guidelines on derogations of Article 49, the EDPB advocates a layered approach as best practice — same as its predecessor, the Article 29 Working Party — and considers derogations as exemptions from other rules on transfers. When applying the layered approach, firstly, organizations should consider whether a country provides an adequate level of protection. If that is not the case, then an organization should explore other safeguards and only use derogations mentioned in Article 49 in the absence of such safeguards. However, it is worth mentioning that WP 29 did state that derogations of transfers concern cases where risks to the data subjects are small or where other interests (e.g., interests of the individual) override an individual’s right to privacy (see WP 12). In our second scenario, a client goes to their bank and asks to transfer money to a bank in a non-adequate country — in this case, could their interests override their right to privacy because the transfer request came from the individual? The EDPB interprets the derogation mentioned in Article 49(1)(b) in view of Recital 111 only and advocates that the criteria “occasional” and “necessary” must be met in order to rely on the derogation.
The CJEU has a different view when it comes to interpreting provisions in light of recitals. In case C-162/97 Nilsson et al, the CJEU took a stand that the preamble of a community act has no binding legal effect and cannot be used as a ground for derogating provisions of the act. Furthermore, in case C-134/08 Hauptzollamt Bremen, vs. J. E. Tyson Parketthandel GmbH hanse j, the court states the preamble has no binding legal effect and cannot be used as a ground for derogating from the actual provisions or interpreting the act’s provisions in a contrary manner.
Are organizations ready to test whether the criterion “occasional” applies for the Article 49(1)(b) derogation where the EU data protection authorities are concerned? Can they rely on the established CJEU case law? Why did lawmakers not include this criterion in the text of the norm? Could it be that the lawmakers wanted to provide a smooth transition from Directive 95/46/EC, which doesn’t mention that criterion at all, to the revision of the GDPR or a new regulation that will include it in the normative provisions of the regulation? Time will tell whether there is going to be any transition of the criterion “occasional” from recitals to the norm. As for businesses and organizations, before transferring personal data to third countries and international organizations, they should check whether the relevant member state has set limits to transfers of the specific categories of personal data.
If you want to comment on this post, you need to login.