Artikkel 49
Derogations for specific situations

Offisielle tekster Retningslinjer
og beslutninger
Vurderinger
EU-regulering
Vurderinger
nasj. regulering
Vis forordningens fortaletekst relatert til art. 49 keyboard_arrow_down Skjul forordningens fortaletekst relatert til art. 49 keyboard_arrow_up

(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.

(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.

(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.

Vis direktivets fortaletekst relatert til art. 49 keyboard_arrow_down Skjul direktivets fortaletekst relatert til art. 49 keyboard_arrow_up

(58) Whereas provisions should be made for exemptions from this prohibition in certain circumstances where the data subject has given his consent, where the transfer is necessary in relation to a contract or a legal claim, where protection of an important public interest so requires, for example in cases of international transfers of data between tax or customs administrations or between services competent for social security matters, or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest; whereas in this case such a transfer should not involve the entirety of the data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or if they are to be the recipients;

GDPR

The derogations provided for by the Directive have been maintained and developed in Article 49 of the Regulation. Subject to several adaptations, the derogations already covered by Directive are set out here, such as:

- the explicit consent of the data subject for the transfer (a). Since this derogation is based on consent, the commented provision requires the controller to obtain the “explicit” consent of the data subject to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

- when the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request (b);

- when the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person (c);

- when the transfer is necessary for important reasons of public interest (d). Recital 112 provides several examples of data transfer needed for important reasons of general interest: in case of international exchange of data between competition authorities, tax or customs administrations, between financial supervisory authorities, between services responsible for matters of social security or public health. In this regard, article 49 (4) specifies that the general interest justifying the transfer must be recognized by the EU law or the national law of the Member State of the controller;

- when the transfer is necessary for the establishment, exercise or defence of legal claims (e);

- when the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent (f). The derogation relating to the vital interests of the data subject, now also seeks the protection of vital interest of others.

- when the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest. The consultation conditions must be met in compliance with the Union or Member State law (g). Paragraph 2 restricts the data that can be subject of a transfer in this case. Such transfer shall not involve the entirety of the personal data or entire categories of the personal data contained in the register.  Finally, where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

The essential innovation of Article 49 is the introduction of a new derogation based on the need for the transfer for the purpose of compelling legitimate interests pursued by the controller or the processor; resorting to this derogation is however strictly controlled.

To invoke this derogation, the transfer

- cannot be based on Articles 45 (adequate level of protection) or 46 (sufficient safeguards) including those related to the binding corporate rules (Article 47) or any other derogations referred to in Articles 49 (1), a) to f);

- must not be repetitive, concerns only a limited number of data subjects, which means to take into consideration the amount of personal data and the number of data subjects and to consider whether the transfer is carried out on an occasional or regular basis.

- must be necessary in the pursuit of “incontestable” legitimate interests of the controller which are not overridden by the interests or rights and freedoms of the data subject;

- the controller or the processor has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. This means that the controller should take into consideration the nature of the data, the purpose and duration of envisaged processing as well as the situation in the country of origin, in the third country and the country of final destination and provide appropriate safeguards to protect fundamental rights and freedoms of natural persons. The final version of the regulation adds that the controller or the processor must document the above assessment and the safeguards taken accordingly (6).

- the controller must not only notify the supervisory authority of said transfer but must also provide additional information to the data subjects regarding the compelling interests that justify the transfer of their data, in addition to the information referred to in articles 13 and 14.

It should be noted that the derogations based on the consent of the data subject, on the contractual need (that is, the exceptions referred to in articles 49 (1) (b) and (c), as well as on compelling legitimate interests of the controller, are not applicable to the activities of the public authorities in the exercise of their prerogative of public power (paragraph 3).

Finally, according to paragraph 5, in the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organization.

Direktivet

Article 26 of the Directive formulated six exceptions to the prohibition to transfer data to a third country not providing an adequate level of protection. They addressed limited cases presenting risks normally mitigated for the data subject, taking account of the primacy of the public interest or that of the data subject over data protection. According to the Article 29 Working Party, resorting to these exemptions should be the ultimate solution only, when no other provision was made to allow the transfer (G29, Working Document of 24 July 1998, Transfers of Personal Data to Third Countries: Application of Articles 25 and 26 of the Directive on the Data Protection, WP 12). 

These exemptions addressed the following cases: when the data subject had given his explicit consent to the transfer; when the transfer was necessary in the context of a contract or a legal action; when the protection of an important public interest demanded it; or for recognition, exercise or defence of a legal right, for example in the case of international exchange of data between tax or customs administrations or between services competent for social security; when the transfer was necessary to protect the vital interest of the data subject, or when the transfer was made from a register established by law and intended to be viewed by the public or by persons who can prove a legitimate interest.

These exceptions were subject to a strict interpretation, as advocated by the Article 29 Working Party in its Working Paper No. 114 on a common interpretation of the provisions of Article 26 (1) of Directive 95/46/EC of 24 October 1995 adopted on 25 November 2005, as after their transfer, these have no protection.

Utfordringer

Article 49 contains the traditional exceptions, already implemented by the Directive. The provision, in admitting an exception to the prohibition of transfer on the basis of indisputable legitimate interests of the controller, is also aimed to facilitate the admission of exceptional transfers to third countries without an adequate level of protection, while safeguarding the rights of the data subject. It could be particularly useful in the event that the data is transferred to a processor outside the EU.

Forordning
1e 2e

Art. 49

1.   In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:

a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;

b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;

c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;

d) the transfer is necessary for important reasons of public interest;

e) the transfer is necessary for the establishment, exercise or defence of legal claims;

f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;

g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

 

1. forslag close

Art. 44

1.           In the absence of an adequacy decision pursuant to Article 41 or of appropriate safeguards pursuant to Article 42, a transfer or a set of transfers of personal data to a third country or an international organisation may take place only on condition that:

(a)     the data subject has consented to the proposed transfer, after having been informed of the risks of such transfers due to the absence of an adequacy decision and appropriate safeguards; or

(b)     the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; or

(c)     the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or

(d)     the transfer is necessary for important grounds of public interest; or

(e)     the transfer is necessary for the establishment, exercise or defence of legal claims; or

(f)      the transfer is necessary in order to protect the vital interests of the data subject or of another person, where the data subject is physically or legally incapable of giving consent; or

(g)     the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or

(h)     the transfer is necessary for the purposes of the legitimate interests pursued by the controller or the processor, which cannot be qualified as frequent or massive, and where the controller or processor has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and based on this assessment adduced appropriate safeguards with respect to the protection of personal data, where necessary.

2.           A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3.           Where the processing is based on point (h) of paragraph 1, the controller or processor shall give particular consideration to the nature of the data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and adduced appropriate safeguards with respect to the protection of personal data, where necessary.

4.           Points (b), (c) and (h) of paragraph 1 shall not apply to activities carried out by public authorities in the exercise of their public powers.

5.           The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the law of the Member State to which the controller is subject.

6.           The controller or processor shall document the assessment as well as the appropriate safeguards adduced referred to in point (h) of paragraph 1 of this Article in the documentation referred to in Article 28 and shall inform the supervisory authority of the transfer.

7.           The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of further specifying 'important grounds of public interest' within the meaning of point (d) of paragraph 1 as well as the criteria and requirements for appropriate safeguards referred to in point (h) of paragraph 1.

2. forslag close

Art. 44

1. In the absence of an adequacy decision pursuant to paragraph 3 of  Article 41,or of appropriate safeguards pursuant to Article 42, including binding corporate rules (...), a transfer or a category of transfers of personal data to (...) a third country or an international organisation may take place only on condition that:

(a) the data subject has explicitly consented to the proposed transfer, after having been informed that such transfers may involve risks for the data subject due to the absence of an adequacy decision and appropriate safeguards; or

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; or

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; or

(d) the transfer is necessary for important reasons of public interest; or

(e) the transfer is necessary for the establishment, exercise or defence of legal claims; or

(f) the transfer is necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; or

(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case; or

(h) the transfer, which is not large scale or frequent, is necessary for the purposes of legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject and where the controller (...) has assessed all the circumstances surrounding the data transfer operation or the set of data transfer operations and (...) based on this assessment adduced suitable safeguards with respect to the protection of personal data.

2. A transfer pursuant to point (g) of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. When the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.

3.(...)

4. Points (a), (b), (c) and (h) of paragraph 1shall not apply to activities carried out by public authorities in the exercise of their public powers.

5. The public interest referred to in point (d) of paragraph 1 must be recognised in Union law or in the national law of the Member State to which the controller is subject. (...)

5a. In the absence of an adequacy decision, Union law or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.

6. The controller or processor shall document the assessment as well as the suitable safeguards (...) referred to in point (h) of paragraph 1 in the records referred to in Article 28 (...).

6a. (...)

7. (...)

Direktiv close

Art. 26

1. By way of derogation from Article 25 and save where otherwise provided by domestic law governing particular cases, Member States shall provide that a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2) may take place on condition that:

(a) the data subject has given his consent unambiguously to the proposed transfer; or

(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of precontractual measures taken in response to the data subject's request; or

(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and a third party; or

(d) the transfer is necessary or legally required on important public interest grounds, or for the establishment, exercise or defence of legal claims; or

(e) the transfer is necessary in order to protect the vital interests of the data subject; or

(f) the transfer is made from a register which according to laws or regulations is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation are fulfilled in the particular case.

2. Without prejudice to paragraph 1, a Member State may authorize a transfer or a set of transfers of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 (2), where the controller adduces adequate safeguards with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights; such safeguards may in particular result from appropriate contractual clauses.

3. The Member State shall inform the Commission and the other Member States of the authorizations it grants pursuant to paragraph 2.

If a Member State or the Commission objects on justified grounds involving the protection of the privacy and fundamental rights and freedoms of individuals, the Commission shall take appropriate measures in accordance with the procedure laid down in Article 31 (2).

Member States shall take the necessary measures to comply with the Commission's decision.

4. Where the Commission decides, in accordance with the procedure referred to in Article 31 (2), that certain standard contractual clauses offer sufficient safeguards as required by paragraph 2, Member States shall take the necessary measures to comply with the Commission's decision.

Art. 49

Unntak for særlige situasjoner

1. Dersom det ikke foreligger en beslutning om tilstrekkelig beskyttelsesnivå i henhold til artikkel 45 nr. 3 eller nødvendige garantier i henhold til artikkel 46, herunder bindende virksomhetsregler, skal en overføring eller en rekke av overføringer av personopplysninger til en tredjestat eller en internasjonal organisasjon bare finne sted på et av følgende vilkår:

Dersom en overføring ikke kan baseres på en bestemmelse i artikkel 45 eller 46, herunder bestemmelsene om bindende virksomhetsregler, og ingen av unntakene for særlige situasjoner nevnt i første ledd i dette nummer får anvendelse, kan en overføring til en tredjestat eller en internasjonal organisasjon finne sted bare dersom overføringen ikke er gjentakende, bare gjelder et begrenset antall registrerte, er nødvendig av hensyn til de tvingende berettigede interessene som forfølges av den behandlingsansvarlige, og den registrertes interesser eller rettigheter og friheter ikke går foran, og den behandlingsansvarlige har vurdert alle omstendigheter i forbindelse med overføringen og på grunnlag av nevnte vurdering har gitt nødvendige garantier med hensyn til vern av personopplysninger. Den behandlingsansvarlige skal underrette tilsynsmyndigheten om overføringen. I tillegg til informasjonen nevnt i artikkel 13 og 14 skal den behandlingsansvarlige underrette den registrerte om overføringen og om de tvingende berettigede interessene som forfølges.

a) den registrerte uttrykkelig har samtykket til den foreslåtte overføringen etter å ha blitt informert om de mulige risikoene nevnte overføringer kan innebære for vedkommende når det ikke foreligger en beslutning om tilstrekkelig beskyttelsesnivå og nødvendige garantier,

b) overføringen er nødvendig for å oppfylle en avtale mellom den registrerte og den behandlingsansvarlige eller for å gjennomføre tiltak som treffes før avtaleinngåelse på den registrertes anmodning,

c) overføringen er nødvendig for å inngå eller oppfylle en avtale inngått i den registrertes interesse mellom den behandlingsansvarlige og en annen fysisk eller juridisk person,

d) overføringen er nødvendig av hensyn til viktige allmenne interesser,

e) overføringen er nødvendig for å fastsette, gjøre gjeldende eller forsvare rettskrav,

f) overføringen er nødvendig for å verne den registrertes eller andre personers vitale interesser i tilfeller der den registrerte fysisk eller juridisk ikke er i stand til å gi samtykke,

g) overføringen finner sted fra et register som i henhold til unionsretten eller medlemsstatenes nasjonale rett er beregnet på å gi informasjon til allmennheten, og som er tilgjengelig for allmennheten eller for enhver person som kan gjøre gjeldende en berettiget interesse, men bare i den utstrekning vilkårene for offentlig tilgjengelighet fastsatt i unionsretten eller medlemsstatenes nasjonale rett er oppfylt i det særskilte tilfellet.

2. En overføring i henhold til nr. 1 første ledd bokstav g) skal ikke omfatte alle personopplysningene eller hele kategorier av personopplysninger i registeret. Når registeret er ment å være tilgjengelig for personer som har en berettiget interesse i det, skal overføring bare skje på anmodning fra nevnte personer, eller dersom de selv skal være mottakere.

3. Nr. 1 første ledd bokstav a), b) og c) og nr. 1 annet ledd får ikke anvendelse på aktiviteter som utføres av offentlige myndigheter når de utøver offentlig myndighet.

4. De viktige allmenne interessene nevnt i nr. 1 første ledd bokstav d) skal anerkjennes i unionsretten eller nasjonal rett i medlemsstaten som den behandlingsansvarlige er underlagt.

5. Dersom det ikke foreligger en beslutning om tilstrekkelig beskyttelsesnivå, kan det i unionsretten eller medlemsstatenes nasjonale rett av hensyn til viktige allmenne interesser uttrykkelig fastsettes grenser for overføring av spesifikke kategorier av personopplysninger til en tredjestat eller en internasjonal organisasjon. Medlemsstatene skal underrette Kommisjonen om nevnte bestemmelser.

6. Den behandlingsansvarlige eller databehandleren skal dokumentere vurderingen og de nødvendige garantiene nevnt i nr. 1 annet ledd i denne artikkel i protokollene nevnt i artikkel 30.

Gamle loven close

Pol. § 30 Unntak

Personopplysninger kan også overføres til stater som ikke sikrer en forsvarlig behandling av opplysningene dersom

a) den registrerte har samtykket i overføringen,

b) det foreligger plikt til å overføre opplysningene etter folkerettslig avtale eller som følge av medlemskap i internasjonal organisasjon,

c) overføringen er nødvendig for å oppfylle en avtale med den registrerte, eller for å utføre gjøremål etter den registrertes ønske før en slik avtale inngås,

d) overføringen er nødvendig for å inngå eller oppfylle en avtale med en tredjeperson i den registrertes3 interesse,

e) overføringen er nødvendig for å vareta den registrertes3 vitale interesser,

f) overføringen er nødvendig for å fastsette, gjøre gjeldende eller forsvare et rettskrav,

g) overføringen er nødvendig eller følger av lov for å beskytte en viktig samfunnsinteresse, eller

h) det er fastsatt i lov at det er adgang til å kreve opplysninger fra et offentlig register.

Datatilsynet kan tillate overføring selv om vilkårene i første ledd ikke er oppfylt dersom den behandlingsansvarlige7 gir tilstrekkelige garantier for vern av den registrertes3 rettigheter. Datatilsynet kan sette vilkår for overføringen.

Kongen kan gi forskrift om overføring av personopplysninger til utlandet, herunder om å stanse eller begrense overføring til bestemte stater som ikke tilfredsstiller kravene i § 29.

Pol. forskriften § 6-1 EU-kommisjonens beslutninger om beskyttelsesnivået i tredjeland

Kommisjonens beslutninger etter direktiv 95/46/EF artikkel 25 og 26, jf. 31 gjelder også for Norge i samsvar med EØS-komiteens beslutning nr. 83/1999 (av 25. juni 1999 om endring av EØS-avtalens protokoll 37 og vedlegg XI), med mindre reservasjonsadgangen er benyttet.

Datatilsynet skal sørge for at beslutningene etterleves.

Pol. forskriften § 6-2 Datatilsynets vurdering av beskyttelsesnivået i tredjeland

Dersom Datatilsynet kommer til at et tredjeland ikke har et tilfredsstillende beskyttelsesnivå ved behandling av personopplysninger, skal Datatilsynet gi melding til EU-kommisjonen og de øvrige medlemsstater om sin beslutning.

Dersom Datatilsynet, etter en konkret vurdering i henhold til direktiv 95/46/EF artikkel 26 nr. 2, allikevel tillater overføring av personopplysninger til et tredjeland som ikke sikrer et tilfredsstillende beskyttelsesnivå i henhold til direktiv 95/46/EF artikkel 25 nr. 2, skal Datatilsynet gi melding til EU-kommisjonen og øvrige medlemsstater om sin beslutning.

Dersom Kommisjonen eller andre medlemsstater har innsigelser mot Datatilsynets beslutninger i henhold til andre ledd, og Kommisjonen treffer tiltak, skal Datatilsynet sørge for at beslutningen etterleves.

close