Last Updated: May 2021Click To View (PDF)

The “Schrems II” case and subsequent recommendations by the European Data Protection Board show it is not straightforward for organizations in the European Economic Area to rely on “appropriate safeguards,” such as standard contractual clauses, to transfer personal data to third countries. Organizations may be inclined to look to the various derogations under Article 49 of the EU General Data Protection Regulation to see if these may provide alternative ways of transferring personal data. In January 2021, Thomas von Danwitz, the judge-rapporteur in the “Schrems II” case, also suggested the possibility of increased reliance on the Article 49 derogations, although readers should note von Danwitz’s comments were brief and given in a personal capacity.

There are specific recitals that relate to the derogations in Article 49, as well as detailed guidance from the EDPB. Before attempting to rely on the derogations, organizations need to be aware of these additional considerations. This table summarizes this material so readers can see at a glance the factors relevant for each derogation. We have also included citations for all provisions for readers who want to read further on the point. The comments made in this table are also applicable to transfers of personal data from the U.K.