• Courses
      • Global Series of National Privacy Laws
      • Nederlandse Privacy Academie
    • Resources
    • Join GADPPRO ACADEMY
      • Join GADPPRO Academy as an Official Partner
      • Become an Official GADPPRO Training Entity
      • Join the GADPPRO Business Academy
      • Secretariat & International Training Centre
      • Contact Us
    •  
      • RegisterLog in
    Privacad GADPPRO Academy
      • Courses
        • Global Series of National Privacy Laws
        • Nederlandse Privacy Academie
      • Resources
      • Join GADPPRO ACADEMY
        • Join GADPPRO Academy as an Official Partner
        • Become an Official GADPPRO Training Entity
        • Join the GADPPRO Business Academy
        • Secretariat & International Training Centre
        • Contact Us
      •  
        • RegisterLog in

      Blog

      Derogations of Article 49 GDPR

      • Categories Blog, Business, Design / Branding, Free Data Protection Resources, Uncategorized
      • Date November 5, 2020

      Guidelines 02/2018 on Derogations of Article 49 GDPR

      Section 2.5  Transfer is necessary for the establishment, exercise or defense of legal claims -(49 (1) (e))

      Establishment, exercise or defense of legal claims

      Under Article 49 (1) (e), transfers may take place when “the transfer is necessary for the establishment, exercise or defense of legal claims”. Recital 111 states that a transfer can be made where it is “occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies”. This covers a range of activities for example, in the context of a criminal or administrative investigation in a third country (e.g. anti-trust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen e.g. in anti-trust investigations. As well, data transfers for the purpose of formal pre-trial discovery procedures in civil litigation may fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country for example commencing litigation or seeking approval for a merger. The derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.

      This derogation can apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)).

      The combination of the terms “legal claim” and “procedure” implies that the relevant procedure must have a basis in law, including a formal, legally defined process, but is not necessarily limited to judicial or administrative procedures (“or any out of court procedure”). As a transfer needs to be made in a procedure, a close link is necessary between a data transfer and a specific procedure regarding the situation in question. The abstract applicability of a certain type of procedure would not be sufficient.

      Data controllers and data processors need to be aware that national law may also contain so-called “blocking statutes”, prohibiting them from or restricting them in transferring personal data to foreign courts or possibly other foreign official bodies.

      Necessity of the data transfer

      A data transfer in question may only take place when it is necessary for the establishment, exercise or defense of the legalclaim in question. This “necessity test” requires a close and substantial connection between the data in question and the specific establishment, exercise or defense of the legal position. The mere interest of third country authorities or possible “good will” to be obtained from the third country authority as suchwould not be sufficient.

      Whilst there may be a temptation for a data exporter to transfer all possibly relevant personal data in response to a request or for instituting legal procedures, this would not be in line with this derogation or with the GDPR more generally as this (in the principle of data minimization) emphasizes the need for personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

      In relation to litigation proceedings the WP29, predecessor of the EDPB, has already set out a layered approach to the question of whether the personal data should be transferred, including the application of this principle. As a first step, there should be a careful assessment of whether anonymized data would be sufficient in the particular case. If this is not thecase, then transfer of pseudonymized data could be considered. If it is necessary to send personal data to a third country, its relevance to the particular matter should be assessed before the transfer – so only a set of personal data that is actually necessary is transferred and disclosed.

      Occasional transfer

      Such transfers should only be made if they are occasional. For information on the definition of occasional transfers please see the relevant section on “occasional and “non-repetitive” transfers. Data exporters would need to carefully assess each specific case.

      • Share:
      author avatar
      Richard V

      Previous post

      Derogations of Article 49 GDPR
      November 5, 2020

      Next post

      Derogations of Article 49 GDPR
      November 5, 2020

      You may also like

      Children Safety Encryption www.privacad.com
      Apple’s New Step to Protect Child Abuse via Encryption Feature
      20 August, 2021
      DNA Technology and Privacy www.privacad.com
      DNA Technology Regulation Bill and Violation of Privacy for Minority Groups
      19 August, 2021
      www.privacad.com
      India accuses Twitter of not complying with new IT rules
      18 August, 2021

      Search

      Categories

      • Blog
      • Business
      • Design / Branding
      • Free Data Protection Resources
      • Nederlandse Privacy Academie
      • Uncategorized
      Facebook-f Linkedin-in

      © Privacad 2020

      For all your questions about courses

      students@privacad.com

      For all your questions about Privacad for business

      info@privacad.com

      Links

      • Courses
      • Become a GADPPRO Academy Official Training Entity
      • Resources
      • Free Data Protection Resources
      • Blog
      • Profile
      • Students Stewards Network (SSN)

      Support

      • Privacy Policy
      • Terms of Use
      • FAQs
      • Contact

      © GADPPRO Academy | Privacad 2022

      GADPPRO Academy 2022

      Login with your site account

      Lost your password?

      Not a member yet? Register now

      Register a new account

      Are you a member? Login now