Guidelines 2/2020 on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies

Section 2.7  Redress mechanisms

45. In order to guarantee enforceable and effective data subjects rights the international agreement should provide for a system that enables data subjects to continue to benefit from redress mechanisms after their data has been transferred to a non EEA country or an international organisation. These redress mechanisms must provide recourse for individuals who are affected by non-compliance with the provisions of the chosen instrument and thus the possibility for data subjects whose personal data have been transferred from the EEA to lodge complaints regarding such non-compliance and to have these complaints resolved. In particular, the data subject must be ensured aneffective route to complain to the public bodies that are parties to the international agreement and (either directly or after having addressed the relevant party) to an independent oversight body. Moreover, a judicial remedy should, in principle, be available.

46. First, the receiving public body should commit to put in place a mechanism to effectively and timely handle and resolve complaints from data subjects concerning compliance with the agreed data protection safeguards. Moreover, data subjects should be provided with the possibility to obtain effective administrative redress before an independent oversight body, including, where available, an independent data protection authority.

47. Second, the agreement should allow for a judicial remedy including compensation for damages -both material and non-material -asa result of the unlawful processing of the personal data. If there is no possibility to ensure effective judicial redress, for example due to restrictions in the domestic law or the specific status of the receiving public body, e.g. international organisations, the international agreement must provide for alternative safeguards.

48. In that case, the international agreement could create a structure which enables the data subject to enforce its rights outside the courts, for example through quasi-judicial, binding mechanisms such as arbitration or alternative dispute resolution mechanisms such as mediation, which would guarantee an independent review. Moreover, the public body transferring the personal data could commit to be liable for compensation of damages through unlawful processing of the personal data which are testified by the independent review. Exceptionally, other, equally effective redress mechanisms could be put in place by the agreement. 

49. For all of the abovementioned redress mechanisms, the international agreement should contain an obligation for the parties to inform each other of the outcome of the proceedings, in particular if a complaint of an individual is dismissed or not resolved.

50. The redress mechanism should be combined with the possibility for the transferring public body to suspend or terminate the transfer of personal data under the international agreement where the parties do not succeed in resolving a dispute amicably until itconsiders that the issue has been satisfactorily addressed by the receiving public body. Such a suspension or termination, if carried out, should be accompanied by a commitment from the receiving public body to return or delete the personal data. The transferring body should notify the suspension or termination to the competent national SA.