Guidelines 02/2018 on Derogations of Article 49 GDPR

Paragraph 2.1.3  Consent must be informed particularly as to the possible risks of the transfer

This condition is particularly important since it reinforces and further specifies the general requirement of “informed” consent as applicable to any consent and laid down in Art. 4(11). As such, the general requirement of “informed” consent, requires, in the case of consent as a lawful basis pursuant to Article 6(1)(a) for a data transfer, that the data subject is properly informed in advance of the specific circumstances of the transfer, (i.e. the data controller’s identity, the purpose of the transfer, the type of data, the existence of the right to withdraw consent, the identity or the categories of recipients).

In addition to this general requirement of “informed” consent, where personal data are transferred to a third country under Article 49(1)(a), this provision requires data subjects to be also informed of the specific risks resulting from the fact that their data will be transferred to a country that does not provide adequate protection and that no adequate safeguards aimed at providing protection for the data are being implemented. The provision of this information is essential in order to enable the data subject to consent with full knowledge of these specific facts of the transfer and therefore if it is not supplied, the derogation will not apply. 

The information provided to data subjects in order to obtain consent for the transfer of their personal data to third parties established in third countries should also specify all data recipients or categories of recipients, all countries to which the personal data are being transferred to, that the consent is the lawful ground for the transfer, and that the third country to which the data will be transferred does not provide for an adequate level of data protection based on a European Commission decision. In addition, as mentioned above (par. 2.1.2), information has to be given as to the possible risks for the data subject arising from the absence of adequate protection in the third country and the absence of appropriate safeguards. Such notice, which could be standardized, should include for example information that in the third country there might not be a supervisory authority and/or data processing principles and/or data subject rights might not be provided for in the third country.

In the specific case where a transfer is performed after the collection of personal data from the data subject has been made, the data exporter should inform the data subject of the transfer and of its risks before it takes place so as to collect his explicit consent to the “proposed” transfer.

As shown by the analysis above, the GDPR sets a high threshold for the use the derogation of consent. This high threshold, combined with the fact that the consent provided by a data subject can be withdrawn at any time, means that consent might prove not to be a feasible long term solution for transfers to third countries.