Article 49 (1) § 2 introduces a new derogation which was not previously included in the Directive. Under a number of specific, expressly enumerated conditions, personal data can be transferred if it is necessary for the purposes of compelling legitimate interests pursued by the data exporter.
This derogation is envisaged by the law as a last resort, as it will only apply where “a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situationis applicable”.
This layered approach to considering the use of derogations as a basis for transfers requires consideration of whether it is possible to use a transfer tool provided in Article 45 or 46 or one of the specific derogations set out in Article 49 (1) § 1, before resorting to the derogation of Article 49 (1) §2. This can only be used in residual cases according to recital 113 and is dependent on a significant number of conditions expressly laid down by law. In line with the principle of accountability enshrined in the GDPR the data exporter must be therefore able to demonstrate that it was neither possible to frame the data transfer by appropriate safeguards pursuant to Article 46 nor to apply one of the derogations as contained in Article 49 (1) § 1.
This implies that the data exporter can demonstrate serious attempts in this regard, taking into account the circumstances of the data transfer. This may for example and depending on the case, include demonstrating verification of whether the data transfer can be performed on the basis of the data subjects’ explicit consent to the transfer under Article 49 (1) (a). However, in some circumstances the use of other tools might not be practically possible. For example, some types of appropriate safeguards pursuant to Article46 may not be a realistic option for a data exporter that is a small or medium-sized company. This may also be the case for example, where the data importer has expressly refused to enter into a data transfer contract on the basis of standard data protection clauses (Article 46 (2) (c)) and no other option is available (including, depending on the case, the choice of a different “data importer”) – see also the paragraph below on ‘compelling’ legitimate interest.
Compelling legitimate interests of the controller
According to the wording of the derogation, the transfer must be necessary for the purposes of pursuing compelling legitimate interests of the data controller which are not overridden by the interests or rights and freedoms of the data subject. Consideration of the interests of a data exporter in its capacity as data processor or of the data importer are not relevant.
Moreover, only interests that can be recognized as “compelling” are relevant and this considerably limits the scope of the application of the derogationas not all conceivable “legitimate interests” under Article 6 (1) (f) will apply here. Rather a certain higher threshold will apply, requiring the compelling legitimate interest to be essential for the data controller. For example, this might be the case if a data controller is compelled to transfer the personal data in order to protect its organization or systems from serious immediate harm or from a severe penalty which would seriously affect its business.
According to its express wording, Article 49 (1) § 2 can only apply to a transfer that is not repetitive.
Limited number of data subjects
Additionally, the transfer must only concern a limited number of data subjects. No absolute threshold has been set as this will depend on the context but the number must be appropriately small taking into consideration the type of transfer in question. In a practical context, the notion “limited number of data subjects” is dependent on the actual case in hand. For example, if a data controller needs to transfer personal data to detect a unique and serious security incident in order to protect its organization, the question here would be how many employees’ data the data controller would have to transfer in order to achieve this compelling legitimate interest. As such, in order for the derogation to apply, this transfer should not apply to all the employees of the data controller but rather to a certain confined few.
Balancing the “compelling legitimate interests of the controller” against the “interests or rights and freedoms of the data subject” on the basis of an assessment of all circumstances surrounding the data transfer and providing for suitable safeguards
As a further requirement, a balancing test between the data exporter’s (compelling) legitimate interest pursued and the interests or rights and freedoms of the data subject has to be performed. In thisregard, the law expressly requires the data exporter to assess all circumstances of the data transfer in question and, based on this assessment, to provide “suitable safeguards” regarding the protection of the data transferred. This requirement highlights the special role that safeguards may play in reducing the undue impact of the data transfer on the data subjects and thereby in possibly influencing the balance of rights and interests to the extent that the data controller’s interests will not be overridden.
As to the interests, rights and freedoms of the data subject which need to be taken into consideration, the possible negative effects, i.e. the risks of the data transfer on any type of (legitimate) interest of the data subject have to be carefully forecasted and assessed, by taking into consideration their likelihood and severity. In this regard, in particular any possible damage (physical and material, but also non-material as e.g. relating to a loss of reputation) needs to be taken into consideration. When assessing these risks and what could under the given circumstances possibly be considered as “suitable safeguards” for the rights and freedoms of the data subject, the data exporter needs to particularly take into account the nature of the data, the purpose and duration of the processing as well as the situation in the country of origin, the third country and, if any, the country of final destination of the transfer.
Furthermore, the law requires the data exporter to apply additional measures as safeguards in order to minimize the identified risks caused by the data transfer for the data subject. This is set up by the law as a mandatory requirement, so it can be followed that in the absence of additional safeguards, the controller’s interests in the transfer will in any case be overridden by the interests or rights and freedoms of the data subject. As to the nature of such safeguards, it is not possible to set up general requirements applicable to all cases in this regard, but these will rather very much depend on the specific data transfer in question. Safeguards might include, depending on the case, for example measures aimed at ensuring deletion of the data as soon as possible after the transfer, or limiting the purposes for which the data may be processed following the transfer. Particular attention should be paid to whether it may be sufficient to transfer pseudonymized or encrypted data. Moreover, technical and organizational measures aimed at ensuring that the transferred data cannot be used for other purposes than those strictly foreseen by the data exporter should be examined.
Information of the supervisory authority
The duty to inform the supervisory authority does not mean that the transfer needs tobe authorized by the supervisory authority, but rather it serves as an additional safeguard by enabling the supervisory authority to assess the data transfer (if it considers it appropriate) as to its possible impact on the rights and freedoms of the data subjects affected. As part of its compliance with the accountability principle, it is recommended that the data exporter records all relevant aspects of the data transfer e.g. the compelling legitimate interest pursued, the “competing” interests of the individual, the nature of the data transferred and the purpose of the transfer.
Providing information of the transfer and the compelling legitimate interests pursued to the data subject
The data controller must inform the data subject of the transfer and of the compelling legitimate interests pursued. This information must be provided in addition to that required to be provided under to Articles 13 and 14 of the GDPR.