Guidelines 02/2018 on Derogations of Article 49 GDPR

Section 2.5  Transfer is necessary for the establishment, exercise or defense of legal claims -(49 (1) (e))

Establishment, exercise or defense of legal claims

Under Article 49 (1) (e), transfers may take place when “the transfer is necessary for the establishment, exercise or defense of legal claims”. Recital 111 states that a transfer can be made where it is “occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies”. This covers a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger. The derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.

This derogation can apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)).

The combination of the terms “legal claim” and “procedure” implies that the relevant procedure must have a basis in law, including a formal, legally defined process, but is not necessarily limited to judicial or administrative procedures (“or any out of court procedure”). As a transfer needs to be made in a procedure, a close link is necessary between a data transfer and a specific procedure regarding the situation in question. The abstract applicability of a certain type of procedure would not be sufficient.

Data controllers and data processors need to be aware that national law may also contain so-called “blocking statutes”, prohibiting them from or restricting them in transferring personal data to foreign courts or possibly other foreign official bodies.

Necessity of the data transfer

A data transfer in question may only take place when it is necessary for the establishment, exercise or defense of the legalclaim in question. This “necessity test” requires a close and substantial connection between the data in question and the specific establishment, exercise or defense of the legal position. The mere interest of third country authorities or possible “good will” to be obtained from the third country authority as suchwould not be sufficient.

Whilst there may be a temptation for a data exporter to transfer all possibly relevant personal data in response to a request or for instituting legal procedures, this would not be in line with this derogation or with the GDPR more generally as this (in the principle of data minimization) emphasizes the need for personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

In relation to litigation proceedings the WP29, predecessor of the EDPB, has already set out a layered approach to the question of whether the personal data should be transferred, including the application of this principle. As a first step, there should be a careful assessment of whether anonymized data would be sufficient in the particular case. If this is not thecase, then transfer of pseudonymized data could be considered. If it is necessary to send personal data to a third country, its relevance to the particular matter should be assessed before the transfer – so only a set of personal data that is actually necessary is transferred and disclosed.

Occasional transfer

Such transfers should only be made if they are occasional. For information on the definition of occasional transfers please see the relevant section on “occasional and “non-repetitive” transfers. Data exporters would need to carefully assess each specific case.