Information security
Special situations and occasional transfers
In certain types of special situations and occasional transfers of personal data to third countries, it may be permitted to carry out the transfer.
Special situations and occasional transfers of personal data to third countries
It applies even if the third country does not provide an adequate level of protection and the company does not take any additional safeguards. The exceptions for this type of special situation and occasional transfers of personal data to third countries are set out in Article 49 of the GDPR.
Is the transfer necessary?
The company should try to take appropriate protective measures in the first place. Alternatively, transfer personal data to a country that has an adequate level of protection according to a decision by the European Commission. In addition, the company should analyse whether the transfer of the personal data is necessary. The exceptions in Article 49 of the GDPR should only be applied by companies when the company cannot take any appropriate safeguards.
The transfer of personal data to a third country is permitted, for example, in these special situations:
Explicit consent
If the company obtains the explicit consent of the data subject. In these cases, the data subject must have been informed of the risks involved in the transfer, as the third country does not have an adequacy decision and the company has not taken appropriate safeguards.
Performance of a contract with the data subject
When the transfer of personal data is necessary, for example, for the performance of a contract between the data subject and the controller. This may also be the case if it is necessary for the performance of measures under such a contract, provided that the data subject so requests.
Performance of a contract with another party
Where the transfer of personal data is necessary for the conclusion or performance of a contract with a party other than the data subject; However, this must be done in the interest of the data subject.
General interest
Where a public interest is recognised by national law and it is necessary to carry out the transfer of the personal data in order to achieve it. This may also be reflected in EU law.
Legal claims
If the company needs to transfer the personal data in order to defend a legal claim. The same applies to the establishment or exercise of legal claims.
Protecting fundamental interests
Where the data subject is unable to give consent, for legal or physical reasons and the transfer is necessary to protect the fundamental interest of the data subject; In addition, the transfer may take place if it is necessary to protect the vital interests of someone other than the data subject.
In addition to transfer of personal data being allowed in the above special situations, it is also possible if the transfer meets all of the following criteria:
Not regularly: It should not be a transfer that takes place on a regular basis.
- Limited number of data subjects: The number of data subjects to whom the transfer applies is limited.
- Legitimate interest: The company must have a legitimate interest in the transfer. In such cases, the company shall carry out and document a balance of interests to substantiate this.
- Appropriate safeguards: The company must take appropriate safeguards to protect the personal data based on the circumstances demonstrated by the assessment.
Here you can read guidelines from the European Data Protection Board regarding special situations and occasional transfers of personal data to third countries
Balancing of interests in the case of transfers of personal data to third countries
Companies may carry out a processing of personal data if they have a legitimate interest, which constitutes one (1) of the six (6) legal bases of the GDPR. A balancing of interests involves weighing the interests of the company against the interests, rights and freedoms of the data subject. In addition, the company must analyse all the circumstances surrounding the transfer and take appropriate safeguards for the personal data. It is also important to keep in mind that companies may consider that they have a legitimate interest, but do not have it in accordance with the law.
Please note that companies must inform the national data protection authority if they consider that they have a legitimate interest in a third country transfer. In addition, they must inform the data subjects accordingly. Among other things, it must state what the legitimate interest is that the company wants to achieve with the processing.
Learn more about information security
Standard Contractual Clauses
Another additional safeguard that companies can take when transferring personal data to third countries is to use the standard contractual clauses adopted by the European Commission. However, the company may need to take additional safeguards in some cases, even though it is usually sufficient to use only the standard contractual clauses. It is important to consider using the right clauses after the situation. For example, if it is a transfer to a processor in a third country from a controller in the EU, or if it is a transfer between two processors.