How to Demonstrate Compliance With GDPR Article 49

Derogations for Specific Situations

Book a demo

shutterstock 1410209846 scaled

GDPR Article 49 contains a list of derogation – i.e. exceptions – that organisations can apply to any international data transfers to third-party countries, when no other part of Chapter V GDPR is applicable.

GDPR Article 49 Legal Text

EU GDPR Version

Derogations for Specific Situations

  1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
    • (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    • (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
    • (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    • (d) the transfer is necessary for important reasons of public interest;
    • (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
    • (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    • (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

      Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

  2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
  3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
  4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
  5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
  6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.

UK GDPR Version

Derogations for Specific Situations

  1. In the absence of adequacy regulations under section 17A of the 2018 Act, or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
    • (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
    • (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
    • (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
    • (d) the transfer is necessary for important reasons of public interest;
    • (e) the transfer is necessary for the establishment, exercise or defence of legal claims;
    • (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
    • (g) the transfer is made from a register which according to domestic law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by domestic law for consultation are fulfilled in the particular case.

      Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the the Commissioner of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.

  2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
  3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
  4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 must be a public interest that is recognised in domestic law (whether in regulations under section 18(1) of the 2018 Act or otherwise).
  5. This Article and Article 46 are subject to restrictions in regulations under section 18(2) of the 2018 Act.
  6. The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 of this Article in the records referred to in Article 30.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Mark Wightman
Chief Technical Officer Aluma
100% of our users pass certification first time
Book your demo

Technical Commentary

The derogations within GDPR Article 49 are applicable towards several key situations:

  1. When data subjects have consented to the transfer of their data.
  2. Technical requirements that allow the organisation to carry out its contractual obligations towards a data subject.
  3. Any transfer that is carried out in the public interest (albeit with a seperate list of limitations on such transfers).
  4. Actions that protect the ‘vital interests’ of data subjects, but only where the subject is physically incapable of providing consent to the organisation.
  5. Any transfers that are performed from a public registry.
  6. Where the data controller possesses ‘compelling legitimate interests’.

ISO 27701 Clause 7.5.1 (Identify Basis for Pii Transfer Between Jurisdictions) and EU GDPR Article 49

In this section we talk about GDPR Articles 49 (1)(a), 49 (1)(b), 49 (1)(c), 49 (1)(d), 49 (1)(e), 49 (1)(f), 49 (1)(g), 49 (2), 49 (3), 49 (4), 49 (5) and 49 (6)

From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.

Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.

ISO 27701 Clause 8.5.1 (Basis for PII Transfer Between Jurisdictions) and EU GDPR Article 49

In this section we talk about GDPR Articles 49 (1)(a), 49 (1)(b), 49 (1)(c), 49 (1)(d), 49 (1)(e), 49 (1)(f), 49 (1)(g), 49 (2), 49 (3), 49 (4), 49 (5) and 49 (6)

Whenever PII is to be transferred between jurisdictions, organisations need to inform the customer of the underlying need to do so, in a timely manner.

Transfer destinations can include:

  • Suppliers.
  • Third-parties.
  • Different countries.
  • International organisations.

Organisations should give the customer adequate notice of any transfers, so that objections may be raised and, in certain circumstances, termination requests can be made.

Organisations don’t always need to inform customers of changes to their data transfer arrangements, but contracts should clearly outline the circumstances in which they do need to offer advance warning.

When transferring PII to another country, organisations should consider official mechanisms, such as:

  1. Model Contract Clauses.
  2. Binding Corporate Rules.
  3. Cross-Border Privacy Rules.

Index of Linked EU GDPR Articles and ISO 27701 Clauses

GDPR ArticleISO 27701 ClauseISO 27701 Supporting Clauses
EU GDPR Articles 49 (1)(a) to 49 (6)ISO 27701 7.5.1None
EU GDPR Articles 49 (1)(a) to 49 (6)ISO 27701 8.5.1None

How ISMS.online Help

The ISMS.online platform includes built-in guidance at each step, combined with our ‘Adopt, Adapt, Add’ implementation approach, so demonstrating your GDPR compliance is significantly easier. You will also benefit from a range of powerful time-saving features.

By mapping your work across multiple standards and frameworks, our intuitive platform makes it easy to accomplish multiple information security and data privacy goals.

Find out more by scheduling a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

Streamline your workflow with our new Jira integration! Learn more here.