The European Data Protection Board (EDPB) has now published its final guidelines on derogations under the GDPR. The EDPB is an independent European body composed of representatives of the national supervisory authorities of each EU member state and the European Data Protection Supervisor ("EDPS").
Organisations must use an approved transfer mechanism when transferring personal data outside the EU. One of these approved transfer mechanisms is to rely on a derogation identified in Article 49, including explicit consent from the data subject, contractual necessity and public interest.
The guidelines interpret the specific provisions of Article 49 on derogations in relation to transfers of personal data to third countries, and also includes practical examples of the derogations and their use. In particular the guidance contains the following useful advice:
- The derogations provided in Article 49 of the GDPR should only be used when the standard contractual clauses, binding corporate rules or other mechanisms covered by Articles 45 (adequacy decision) and Article 46 (appropriate safeguards) cannot be used.
- Consent requirements as issued by the Article 29 Working Party are applicable to the assessment of “explicit consent” in the context of derogation. The guidance cautions organisations about whether explicit consent should be used as a long term solution for transfers to third countries.
- For “necessity”, the test requires an evaluation by the data exporters of a substantial and close connection between the transfer of the data and the actual purpose.
- In relations to the “occasional” traders for data, it states that data transfers within a stable business relationship should not be considered as being "occasional.
The guidance can be found here and will be a helpful document for any organisation transferring personal data to countries outside of the EU.