GDPR Article 46 allows for the transfer of data to another country or international organisation without an ‘adequacy decision’ (see Article 45).
The majority of countries able to receive data from the UK or the EU don’t have their own data protection frameworks in place, as such, Article 46 plays an important role in securing the rights and freedoms of naturalised citizens in a global economy.
Transfers Subject to Appropriate Safeguards
- In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
- The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:
- (a) a legally binding and enforceable instrument between public authorities or bodies;
- (b) binding corporate rules in accordance with Article 47;
- (c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);
- (d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);
- (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
- (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
- (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
- The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.
- Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.
Transfers Subject to Appropriate Safeguards
- In the absence of adequacy regulations under section 17A of the 2018 Act, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.
- The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from the Commissioner, by:
- (a) a legally binding and enforceable instrument between public authorities or bodies;
- (b) binding corporate rules in accordance with Article 47;
- (c) standard data protection clauses specified in regulations made by the Secretary of State under section 17C of the 2018 Act and for the time being in force;
- (d) standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A of the 2018 Act and for the time being in force;
- (e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights; or
- (f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.
- With authorisation from the Commissioner, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:
- (a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or
- (b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.
With ISMS.online, challenges around version control, policy approval & policy sharing are a thing of the past.
The discussion regarding the transfer of personal data to countries without an accompanying adequacy framework is spread across 6 key areas:
In this section we talk about GDPR Articles 46 (1), 46 (2)(a), 46 (2)(b), 46 (2)(c), 46 (2)(d), 46 (2)(e), 46 (2)(f), 46 (3)(a), 46 (3)(b), 46 (4), 46 (5)
Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.
In this section we talk about GDPR Articles 46 (1), 46 (2)(a), 46 (2)(b), 46 (2)(c), 46 (2)(d), 46 (2)(e), 46 (2)(f), 46 (3)(a) and 46 (3)(b)
Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 clause 8.5.1).
In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 clauses 7.5.1, 8.5.4 and 8.5.5).
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Articles 46 (1) to 46 (5) | ISO 27701 7.5.1 | None |
| EU GDPR Articles 46 (1) to 46 (3)(b) | ISO 27701 8.5.1 | ISO 27701 7.5.1 ISO 27701 8.5.4 ISO 27701 8.5.5 |
We provide you with an environment that has been pre-built in order to describe and demonstrate your approach to protecting your European and UK customer data in a way that fits seamlessly into your existing management system.
With ISMS.online, it is easy for you to jump straight into the journey to GDPR compliance and to easily demonstrate a level of protection that extends beyond ‘reasonable’, all in one secure, always-on location that you can access from anywhere.
Find out more by scheduling a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
