Artikkel 46
Transfers subject to appropriate safeguards

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 46 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 46 keyboard_arrow_up

(105) Apart from the international commitments the third country or international organisation has entered into, the Commission should take account of obligations arising from the third country's or international organisation's participation in multilateral or regional systems in particular in relation to the protection of personal data, as well as the implementation of such obligations. In particular, the third country's accession to the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to the Automatic Processing of Personal Data and its Additional Protocol should be taken into account. The Commission should consult the Board when assessing the level of protection in third countries or international organisations.

(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission, standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation, in the Union or in a third country. They should relate in particular to compliance with the general principles relating to personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by public authorities or bodies with public authorities or bodies in third countries or with international organisations with corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements, such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation by the competent supervisory authority should be obtained when the safeguards are provided for in administrative arrangements that are not legally binding.

(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or by a supervisory authority should prevent controllers or processors neither from including the standard data-protection clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual commitments that supplement standard protection clauses.

(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.

(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.

Vis direktivets fortaletekst relatert til art. 46 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 46 keyboard_arrow_up

(59) Whereas particular measures may be taken to compensate for the lack of protection in a third country in cases where the controller offers appropriate safeguards; whereas, moreover, provision must be made for procedures for negotiations between the Community and such third countries;

GDPR

Article 46 of the Regulation repeats and details the exception laid down in article 26 (2) of the Directive, if sufficient safeguards are provided by the controller or the processor and in the absence of a Commission decision finding an adequate level of protection. We should remember here that the controller or the processor is no longer required to appreciate this level. In the absence of such a decision, the conditions of such an exception must be met (or one of those provided for in Articles 47 and 49).

The final version of the Regulation supplements paragraph 1 of Article 46, adding that the transfer with appropriate safeguards is authorised only on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

The implementation of the measures listed in article 46 (2) takes place without permission of the supervisory authority; it can be:

- by a legally binding and enforceable instrument between public authorities or bodies (a) or

- by binding corporate rules in accordance with Article 47. Recital 110 adds that these corporate rules must include the essential principles and the enforceable rights providing appropriate safeguards for the transfers or the categories of transfers of personal data or

- by standard data protection clauses adopted by the Commission (c) or jointly by a supervisory authority and by the Commission (d), or

- by a an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights (e).

- by an approved certification mechanism pursuant to Article 42 certifying the compliance of the processing with the rules of the Union (f)).

Paragraph 3 details other measures for which the prior authorization of the competent supervisory authority is required. In these cases, the supervisory authority must respect the consistency mechanism defined in Article 64, stipulating that the opinion of the European Data Protection Board must be required (see 64 (1), e)).

Subject to the authorization are:

- the contractual clauses that would not have been subject to prior adoption by the Commission or by a national supervisory authority, entered into between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organization (Art. 46 (3), a)) or

- provisions to be inserted into administrative arrangements between public authorities or bodies (Art. 46 (3), b)). The final version of the Regulation specifies that these arrangements should ensure the effectiveness of the rights granted to data subjects.

Lastly, Paragraph 5 states that the authorizations issued by a Member State or a supervisory authority pursuant to the Directive remain valid until their amendment, revision, or repealing by the same authority. The same applies to the decisions of the Commission taken pursuant to Article 26 (4) of the Directive.

Direktivet

The Directive provided various exceptions to the prohibition of treatment resulting from the absence of an adequate level of protection.

One of them is laid down in Article 26 (2) and applies when the controller offers sufficient safeguards with respect to the protection of the privacy and fundamental rights of individuals, as well as with respect to the exercise of the corresponding rights and freedoms. This derogation implies that the controller shall have taken special measures to meet the shortfall in the level of protection of the country of destination of the personal data.

According to Article 26 (2) of the Directive, these appropriate safeguards may result from appropriate contractual clauses. Standard contractual terms have therefore been developed to regulate the transfers of data outside the EU by formalizing the protection rules contained in the Directive. Models were then adopted by the European Commission in accordance with Article 26 (4) of the Directive. In practice, this provision gave the Commission the power to find, by way of decision, that some standard contractual clauses offered sufficient safeguards, which then required the Member States to authorise the transfers based on these standard contractual clauses. The Commission decision should be adopted in accordance with the procedure laid down in Article 31, paragraph 2, providing for referral to the Committee under article 31 (see decisions 2001/497/EC 2002/16/EC; 2004/915/EC; 2010/87/EU).

An alternative to the standard contractual clauses has emerged since 2003: the internal corporate rules (called Binding Corporate Rules). Though initially sceptical, it was the Article 29 Working Party who developed this system in its working paper WP 74 of 3 June 2003  (working paper WP 74: Transfers of personal data to third countries pursuant to article 26 (2) of the Directive). It is a global and unique alternative that allows regulating all transfers of data within a group of undertakings, without systematically verifying the legal basis for the transfer (see the comments on Article 43 on the Binding Corporate Rules).

Utfordringer

The new system is certainly clearer than the previous: safeguards need to be provided in the absence of a decision on adequacy by the Commission. The choice of safeguards is expanded and the national supervisory authorities will be able to intervene in a formalized procedure if the conventional safeguards cannot be implemented for reasons specific to the controller or the processor.

Of course, a specific difficulty would arise if the controller or the processor had considered, in the absence of official position of the Commission, that the recipient was located on a territory offering an adequate level of protection. They must then take one of the measures proposed to be in compliance with the Regulation. 

Forordning
1e 2e

Art. 46

1.   In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

2.   The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any specific authorisation from a supervisory authority, by:

a) a legally binding and enforceable instrument between public authorities or bodies;

b) binding corporate rules in accordance with Article 47;

c) standard data protection clauses adopted by the Commission in accordance with the examination procedure referred to in Article 93(2);

d) standard data protection clauses adopted by a supervisory authority and approved by the Commission pursuant to the examination procedure referred to in Article 93(2);

e) an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights; or

f) an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards data subjects' rights.

3.   Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

a) contractual clauses between the controller or processor and the controller, processor or the recipient of the personal data in the third country or international organisation; or

b) provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights.

4.   The supervisory authority shall apply the consistency mechanism referred to in Article 63 in the cases referred to in paragraph 3 of this Article.

5.   Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed, if necessary, by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed, if necessary, by a Commission Decision adopted in accordance with paragraph 2 of this Article.

1. forslag close

Art. 42

1.           Where the Commission has taken no decision pursuant to Article 41, a controller or processor may transfer personal data to a third country or an international organisation only if the controller or processor has adduced appropriate safeguards with respect to the protection of personal data in a legally binding instrument.

2.           The appropriate safeguards referred to in paragraph 1 shall be provided for, in particular, by:

(a)     binding corporate rules in accordance with Article 43; or

(b)     standard data protection clauses adopted by the Commission. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87(2); or

(c)     standard data protection clauses adopted by a supervisory authority in accordance with the consistency mechanism referred to in Article 57 when declared generally valid by the Commission pursuant to point (b) of Article 62(1); or

(d)     contractual clauses between the controller or processor and the recipient of the data authorised by a supervisory authority in accordance with paragraph 4.

3.           A transfer based on standard data protection clauses or binding corporate rules as referred to in points (a), (b) or (c) of paragraph 2 shall not require any further authorisation.

4.           Where a transfer is based on contractual clauses as referred to in point (d) of paragraph 2 of this Article the controller or processor shall obtain prior authorisation of the contractual clauses according to point (a) of Article 34(1) from the supervisory authority. If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57.

5.           Where the appropriate safeguards with respect to the protection of personal data are not provided for in a legally binding instrument, the controller or processor shall obtain prior authorisation for the transfer, or a set of transfers, or for provisions to be inserted into administrative arrangements providing the basis for such transfer. Such authorisation by the supervisory authority shall be in accordance with point (a) of Article 34(1). If the transfer is related to processing activities which concern data subjects in another Member State or other Member States, or substantially affect the free movement of personal data within the Union, the supervisory authority shall apply the consistency mechanism referred to in Article 57. Authorisations by a supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid, until amended, replaced or repealed by that supervisory authority.

2. forslag close

Art. 42

1. In the absence of a decision pursuant to paragraph 3 of Article 41, a controller or processor may transfer personal data to (...) a third country or an international organisation only if the controller or processor has adduced appropriate safeguards, also covering onward transfers (...).

2. The appropriate safeguards referred to in paragraph 1 may be provided for (...), without requiring any specific authorisation from a supervisory authority, by:

(oa) a legally binding and enforceable instrument between public authorities or bodies; or

(a) binding corporate rules referred to in Article 43; or

(b) standard data protection clauses adopted by the Commission (...) in accordance with the examination procedure referred to in Article 87(2); or

(c) standard data protection clauses adopted by a superv isory authority (....) and adopted by the Commission pursuant to the examination procedure referred to in Article 87(2).

(d) an approved code of conduct pursuant to Article 38 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights ; or

(e) an approved certification mechanism pursuant to Article 39 together with binding and enforceable commitments of the controller or processor (...) in the third country to apply the appropriate safeguards, including as regards data subjects’ rights.

2a. Subject to the authorisation from the competent supervisory authority, the appropriate safeguards referred to in paragraph 1 may also be provided for, in particular, by:

(a) contractual clauses between the controller or processor and the controller, processor or the recipient of the data (...) in the third country or international organisation; or

(b) (...)

(c) (...)

(d) provisions to be inserted into administrative arrangements between public authorities or bodies (...).

3. (...)

4. (...)

5. (...)

5a. The supervisory authority shall apply the consistency mechanism in the cases referred to in points (ca), (d), (e) and (f) of Article 57 (2).

5b. Authorisations by a Member State or supervisory authority on the basis of Article 26(2) of Directive 95/46/EC shall remain valid until amended, replaced or repealed by that supervisory authority. Decisions adopted by the Commission on the basis of Article 26(4) of Directive 95/46/EC shall remain in force until amended, replaced or repealed by a Commission Decision adopted in accordance with paragraph 2.

Direktiv close

Art. 26

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

Art. 46

Overføringer som omfattes av nødvendige garantier

1. Dersom det ikke foreligger en beslutning i henhold til artikkel 45 nr. 3, kan en behandlingsansvarlig eller databehandler overføre personopplysninger til en tredjestat eller en internasjonal organisasjon bare dersom den behandlingsansvarlige eller databehandleren har gitt nødvendige garantier, og under forutsetning av at de registrerte har håndhevbare rettigheter og effektive rettsmidler.

2. De nødvendige garantiene nevnt i nr. 1 kan uten krav om særlig godkjenning fra en tilsynsmyndighet sikres ved hjelp av

a) et rettslig bindende og håndhevbart instrument mellom offentlige myndigheter eller organer,

b) bindende virksomhetsregler i samsvar med artikkel 47,

c) standard personvernbestemmelser vedtatt av Kommisjonen i samsvar med undersøkelsesprosedyren nevnt i artikkel 93 nr. 2,

d) standard personvernbestemmelser vedtatt av en tilsynsmyndighet og godkjent av Kommisjonen i samsvar med undersøkelsesprosedyren nevnt i artikkel 93 nr. 2,

e) godkjente atferdsnormer i henhold til artikkel 40 sammen med bindende og håndhevbare forpliktelser for den behandlingsansvarlige eller databehandleren i tredjestaten om å anvende nødvendige garantier, herunder med hensyn til de registrertes rettigheter, eller

f) en godkjent sertifiseringsmekanisme i henhold til artikkel 42 sammen med bindende og håndhevbare forpliktelser for den behandlingsansvarlige eller databehandleren i tredjestaten om å anvende nødvendige garantier, herunder med hensyn til de registrertes rettigheter.

3. Forutsatt godkjenning fra vedkommende tilsynsmyndighet kan de nødvendige garantiene nevnt i nr. 1 også sikres, særlig ved hjelp av

a) avtalevilkår mellom den behandlingsansvarlige eller databehandleren og den behandlingsansvarlige, databehandleren eller mottakeren av personopplysninger i tredjestaten eller den internasjonale organisasjonen, eller

b) bestemmelser som skal innføres i administrative ordninger mellom offentlige myndigheter eller organer, og som omfatter håndhevbare og effektive rettigheter for de registrerte.

4. Tilsynsmyndigheten skal anvende konsistensmekanismen nevnt i artikkel 63 i tilfellene nevnt i nr. 3 i denne artikkel.

5. Godkjenninger gitt av en medlemsstat eller tilsynsmyndighet på grunnlag av artikkel 26 nr. 2 i direktiv 95/46/EF skal fortsette å gjelde fram til de ved behov endres, erstattes eller oppheves av nevnte tilsynsmyndighet. Beslutninger truffet av Kommisjonen på grunnlag av artikkel 26 nr. 4 i direktiv 95/46/EF skal fortsette å gjelde fram til de ved behov endres, erstattes eller oppheves ved en kommisjonsbeslutning truffet i samsvar med nr. 2 i denne artikkel.

Gamle loven close

Pol. forskriften § 6-3 Varslingsplikt ved overføring av personopplysninger til databehandlere i tredjeland

Overføring av personopplysninger til tredjeland som ikke har et tilfredsstillende beskyttelsesnivå kan skje uten forhåndsgodkjenning fra Datatilsynet etter personopplysningsloven § 30 annet ledd, forutsatt at mottaker av opplysningene er en databehandler og grunnlaget for overføringen er EUs standardkontrakt inntatt i kommisjonsbeslutning 2010/87/EU datert 5. februar 2010. Den behandlingsansvarlige skal varsle Datatilsynet om overføringen ved innsending av utfylt og signert standardkontrakt. Overføringen kan finne sted når varsel er sendt.

Med tredjeland menes alle land som ikke har gjennomført direktiv 95/46/EF, og som heller ikke er godkjent ved EU-kommisjonsbeslutning, jf. § 6-1.

0          Opphevet 1 jan 2004 ved forskrift 23 des 2003 nr. 1798 jf. forskrift 24 april 2008 nr. 396, tilføyd ved forskrift 24 april 2014 nr. 569 (i kraft 1 juli 2014).

close