Guidelines 02/2018 on Derogations of Article 49 GDPR

Section 2.7.  Transfer made from a public register – (49 (1) (g) and 49 (2))

Article 49(1)(g) and Article 49 (2) allow the transfer of personal data from registers under certain conditions. A register in general is defined as a “(written) record containing regular entries of items or details” or as “an official list or record of names or items”, where in the context of Article 49, a register could be in written or electronic form.

The register in question must, according to Union or Member State law, be intended to provide information to the public. Therefore, private registers (those in the responsibility of private bodies) are outside of the scope of this derogation (for example private registers through which credit-worthiness is appraised.

The register must be open to consultation by either:

(a) the public in general or

(b) any person who can demonstrate a legitimate interest.

These could be, for example: registers of companies, registers of associations, registers of criminal convictions, (land) title registers or public vehicle registers.

In addition to the general requirements regarding the set-up of the registers themselves, transfers from these registers may only take place if and to the extent that, in each specific case, the conditions for consultation that are set forth by Union or Member State law are fulfilled (regarding these general conditions, see Article  49 (1)(g).

Data controllers and data processors wishing to transfer personal data under this derogation need to be aware that a transfer cannot include the entirety of the personal data or entire categories of the personal data contained in the register (Article 49(2)). Where a transfer is made from a register established by law and where it is to be consulted by persons having a legitimate interest, the transfer can only be made at the request of those persons or if they are recipients, taking into account of the data subjects’ interests and fundamental rights. On a case by case basis, data exporters, in assessing whether the transfer is appropriate, would always have to consider the interests and rights of the data subject.

Further use of personal data from such registers as stated above may only take place in compliance with applicable data protection law.

This derogation can also apply to activities carried out by public authorities in the exercise of their public powers (Article 49(3)).