How to Demonstrate Compliance With GDPR Article 46

Transfers Subject to Appropriate Safeguards

Book a demo

bottom,view,of,modern,skyscrapers,in,business,district,against,blue

GDPR Article 46 allows for the transfer of data to another country or international organisation without an ‘adequacy decision’ (see Article 45).

The majority of countries able to receive data from the UK or the EU don’t have their own data protection frameworks in place, as such, Article 46 plays an important role in securing the rights and freedoms of naturalised citizens in a global economy.

GDPR Article 46 Legal Text

EU GDPR Version

Transfers Subject to Appropriate Safeguards

  1. In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
  2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
    • (a) a legally binding and enforceable instrument between public authorities or bodies;
    • (b) binding corporate rules in accordance with Article 47;
    • (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
    • (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
    • (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
    • (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

  3. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
    • (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
    • (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

  4. The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
  5. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

UK GDPR Version

Transfers Subject to Appropriate Safeguards

  1. In the absence of adequacy regulations under section 17A of the 2018 Act, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
  2. The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from the Commissioner, by:
    • (a) a legally binding and enforceable instrument between public authorities or bodies;
    • (b) binding corporate rules in accordance with Article 47;
    • (c) standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;
    • (d) standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
    • (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
    • (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

  3. With authorisation from the Commissioner, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
    • (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
    • (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
With ISMS.online, challenges around version control, policy approval & policy sharing are a thing of the past.
Dean Fields
IT Director NHS Professionals
100% of our users pass certification first time
Book your demo

Technical Commentary

The discussion regarding the transfer of personal data to countries without an accompanying adequacy framework is spread across 6 key areas:

  1. The scope of the transfer.
  2. A list of appropriate safeguards to be used without prior authorisation.
  3. Safeguards that may be used with authorisation.
  4. The submission of any safeguards used to the appropriate data protection authority.
  5. How authorities should assess the suitability and efficiency of any safeguards submitted for scrutiny.
  6. A continuous review of any authorisations granted, in line with the above points.

ISO 27701 Clause 7.5.1 (Identify Basis for PII Transfer Between Jurisdictions) and EU GDPR Article 46

In this section we talk about GDPR Articles 46 (1), 46 (2)(a), 46 (2)(b), 46 (2)(c), 46 (2)(d), 46 (2)(e), 46 (2)(f), 46 (3)(a), 46 (3)(b), 46 (4), 46 (5)

Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.

ISO 27701 Clause 8.5.1 (Basis for PII Transfer Between Jurisdictions) and EU GDPR Article 46

In this section we talk about GDPR Articles 46 (1), 46 (2)(a), 46 (2)(b), 46 (2)(c), 46 (2)(d), 46 (2)(e), 46 (2)(f), 46 (3)(a) and 46 (3)(b)

Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 clause 8.5.1).

In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 clauses 7.5.1, 8.5.4 and 8.5.5).

Supporting ISO 27701 Clauses

  • ISO 27701 7.5.1
  • ISO 27701 8.5.1
  • ISO 27701 8.5.4
  • ISO 27701 8.5.5

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 46 (1) to 46 (5)ISO 27701 7.5.1None
EU GDPR Articles 46 (1) to 46 (3)(b)ISO 27701 8.5.1ISO 27701 7.5.1
ISO 27701 8.5.4
ISO 27701 8.5.5

how ISMS.online Help

We provide you with an environment that has been pre-built in order to describe and demonstrate your approach to protecting your European and UK customer data in a way that fits seamlessly into your existing management system.

With ISMS.online, it is easy for you to jump straight into the journey to GDPR compliance and to easily demonstrate a level of protection that extends beyond ‘reasonable’, all in one secure, always-on location that you can access from anywhere.

Find out more by scheduling a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now