Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

Chapter V Transfer of personal data to third countries or international organisations

Article 42 Transfers by way of appropriate safeguards

October 2013

Article 42(1)

1. Where the Commission has taken no decision pursuant to Article 41, or decides that a third country, or a territory or processing sector within that third country, or an international organisation does not ensure an adequate level of protection in accordance with Article 41(5), a controller or processor may not transfer personal data to a third country, territory or an international organisation unless the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

Article 42(2)

2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

Article 42(3)

3. A transfer based on standard data protection clauses, a “European Data Protection Seal” or binding corporate rules as referred to in points (a), (aa) or (c) of paragraph 2 shall not require any specific authorisation.

Article 42(4)

4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

Article 42(5)

5. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until two years after the entry into force of this Regulation unless amended, replaced or repealed by that supervisory authority before the end of this period.

[Source: October 2013]

Recital 83

(83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for thedata subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those appropriate safeguards should uphold a respect of the data subject rights adequate to intra-EU processing, in particular relating to purpose limitation, right to access, rectification, erasure and to claim compensation. Those safeguards should in particular guarantee the observance of the principles of personal data processing, safeguard data subject rights and provide for effective redress mechanisms, ensure the observance of the principles of data protection by design and by default, guarantee the existence of a data protection officer.

Recital 84

(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses or supplementary safeguards as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. The standard data protection clauses adopted by the Commission could cover different situations, namely transfers from controllers established in the European Union to controllers established outside the European Union and from controllers established in the European Union to processors, including sub-processors, established outside the European Union. Controllers and processors should be encouraged to provide even more robust safeguards via additional contractual commitments that supplement standard protection clauses.

[Source: October 2013 | Notes: Recitals | Context: Recitals]

January 2012

Explanatory memorandum

3.4. Detailed explanation of the proposal

Article 42 requires for transfers to third countries, where no adequacy decision has been adopted by the Commission, to adduce appropriate safeguards, in particular standard data protection clauses, binding corporate rules and contractual clauses. The possibility of making use of Commission standard data protection clauses is based on Article 26(4) of Directive 95/46/EC. As a new component, such standard data protection clauses may now also be adopted by a supervisory authority and be declared generally valid by the Commission. Binding corporate rules are now specifically mentioned in the legal text. The option of contractual clauses gives certain flexibility to the controller or processor, but is subject to prior authorisation by supervisory authorities.

[Source: January 2012 | Context: Proposal from the European Commission]

Article 42(1) [Amended: October 2013]

1. Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

Article 42(2) [Amended: October 2013]

2. The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

Article 42(3) [Amended: October 2013]

3. A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

Article 42(4)

4. Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

Article 42(5) [Amended: October 2013]

5. Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.

[Source: January 2012 | Context: Proposal from the European Commission]

Recital 83 [Amended: October 2013]

(83) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority, or other suitable and proportionate measures justified in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations and where authorised by a supervisory authority.

Recital 84 [Amended: October 2013]

(84) The possibility for the controller or processor to use standard data protection clauses adopted by the Commission or by a supervisory authority should neither prevent the possibility for controllers or processors to include the standard data protection clauses in a wider contract nor to add other clauses as long as they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects.

[Source: January 2012 | Notes: Recitals | Context: Proposal from the European Commission, Recitals]

Directive 95/46/EC

Cross-reference

General Data Protection Regulation:Directive 95/46/EC:
Article 42(1)Article 26(2)
Article 42(2)Article 26(2)
Article 42(3)Article 26(4)
Article 42(4)Article 26(2)

Chapter IV Transfer of personal data to third countries

Article 26 Derogations

Article 26(2)

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

Article 26(4)

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.