Binding Corporate Rules (BCRs), Lecture 3

Data transfers on the basis of derogations

The General Data Protection Regulation provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations. A transfer, or set of transfers, may be made where the transfer is:

– made with the individual’s informed consent;
– necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request;
– necessary for the performance of a contract made in the interests of the individual between the controller and another person;
– necessary for important reasons of public interest;
– necessary for the establishment, exercise or defence of legal claims;
– necessary to protect the vital interests of the data subject or other persons, where the data subject is physically or legally incapable of giving consent; or
– made from a register which under UK or EU law is intended to provide information to the public (and which is open to consultation by either the public in general or those able to show a legitimate interest in inspecting the register).

The first three derogations are not available for the activities of public authorities in the exercise of their public powers. What is important here is that a “two-step test” have to be applied – there has to be a legal basis for the transfer and the provision regarding data transfers in third countries have to be complied with.  A certain “necessity test” has to be applied in order to assess the necessity of the transfer. This test requires an evaluation of whether a transfer of personal data can be considered necessary for the specific purpose of the derogation to be used.

In addition, it has to be implied that derogations can be used as a last resort for framing a data transfer – if there isn’t an adequate level of data protection in the third country and it is not possible to use either an adequacy decision or an appropriate safeguard (like a BCR).

It is possible that a company carry out infrequent or one-off transfer of data, that concerns only relatively few individuals. Provided there is no Commission decision authorising transfers to the country in question, and if it is not possible to demonstrate that individual’s rights are protected by adequate safeguards and none of the derogations apply, the GDPR states that personal data may still be transferred outside the EU.

However, such transfers are permitted only where the transfer:

– is not being made by a public authority in the exercise of its public powers;
– is not repetitive (similar transfers are not made on a regular basis);
– involves data related to only a limited number of individuals;
– is necessary for the purposes of the compelling legitimate interests of the organisation (provided such interests are not overridden by the interests of the individual)
– is made subject to suitable safeguards put in place by the organisation (in the light of an assessment of all the circumstances surrounding the transfer) to protect the personal data

In these cases, organisations are obliged to inform the relevant supervisory authority of the transfer and provide additional information to individuals.