Q&As

Can an EU based organisation (which is a controller) once the GDPR applies transfer personal data outside of the EEA to a non-EU (and non-EEA) controller in reliance only on the derogations provided in Article 49 of the GDPR (where none of the appropriate safeguards provided under Article 46 of the GDPR can be used) or are there any other requirements which must be met to rely on Article 49 of the GDPR? Is there any guidance on the circumstances to which subparagraphs (a) to (c) of Article 49(1) of the GDPR apply?

read titleRead full title
Published on LexisPSL on 18/12/2017

The following Information Law Q&A provides comprehensive and up to date legal information covering:

  • Can an EU based organisation (which is a controller) once the GDPR applies transfer personal data outside of the EEA to a non-EU (and non-EEA) controller in reliance only on the derogations provided in Article 49 of the GDPR (where none of the appropriate safeguards provided under Article 46 of the GDPR can be used) or are there any other requirements which must be met to rely on Article 49 of the GDPR? Is there any guidance on the circumstances to which subparagraphs (a) to (c) of Article 49(1) of the GDPR apply?
  • Application of Article 49 of the GDPR
  • Interpretation
  • Extra-territorial reach of GDPR

The General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR), will replace Directive 95/46/EC (Data Protection Directive) and all implementing data protection legislation in EU Member States, including the UK’s Data Protection Act 1998 (DPA 1998) from 25 May 2018. The GDPR will be directly applicable in all Member States without the need for implementing national legislation.

This Q&A relates to a transfer between two businesses (which are not public bodies or public authorities) and does not encompass the ‘limited transfer for compelling legitimate interests’ exemption mentioned below. For the purposes of this Q&A, we have assumed that there are no relevant adequacy decisions pursuant to GDPR, Regulation (EU) 2016/679, Art 45(3) and no appropriate safeguards pursuant to GDPR, Regulation (EU) 2016/679, Art 46.

Application of Article 49 of the GDPR

GDPR, Regulation (EU) 2016/679, Art 44 provides (emphasis added):

‘Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure

Related documents:

Popular documents