The European Data Protection Board (« EDPB ») issued a new draft guideline (“Guideline 3/2018”) on the territorial scope of the General Data Protection Regulation (“GDPR”).

The Guideline 3/2018 brings long awaited clarifications on questions in relation to the criteria of “establishment” and “targeting”, processing in places where Member State law applies by virtue of public international law (which will not be analysed here) and the need for a representative for controllers or processors not established in the EU.

As a reminder, Article 3 GDPR foresees that the EU Regulation applies to processing of personal data in the context of activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the EU or not.

The EU legislator’s intention was, with regard to territorial scope, to establish a level playing field for companies active in the EU markets, in a context of worldwide data flows.

The territorial scope uses two main criteria: establishment (1) and targeting (2). If one of these 2 criteria is met, the relevant provisions of the GDPR will apply. In cases where the controller or the processor does not have an establishment in the EU, he must designate a EU representative (3).

(This article gives an overview only of the Guideline 3/2018 and shall not be considered as exhaustive and/or legal advice.)

• Establishment

The GDPR does not provide a definition of the term “establishment” for the purpose of Article 3. However, the EDPB reminded that ECJ Case law on the interpretation of this term remains applicable (see for example ECJ Google Spain and ECJ Weltimmo). While the Guideline 3/2018 confirms that the interpretation of the term establishment is broad (and the legal form of the establishment is irrelevant), it also insisted that is not without limits (e.g. the mere fact that an undertaking’s website is accessible in a Member State of the EU is not sufficient to conclude that it has an establishment).

Another interesting clarification provided by the Guideline 3/2018 is that processing by the establishment is not necessary: it is sufficient that the processing is carried out “in the context of the activities” (EDPB also refers to applicable EU Case Law to understand this difference).

The Guideline 3/2018 further confirms that, with regard to “processing in the context of the activities”, location and nationality of the data subjects who are in the EU is not relevant. This means that neither the controller / processor, nor the data subjects need to be in EU in order for the GDPR to apply.

• Targeting

The EDPB reminds that the absence of an establishment in the EU does not mean that a data controller or procession is excluded from the scope of GDPR (However, it is also reminded that in the absence of an establishment, the data controller or processor cannot benefit from the one-stop shop)

To see whether the targeting criteria applies (i.e. criteria applicable to a controller or processor without an establishment in the EU) the EDPB recommends to:

1. determine that the processing relates to personal data of data subjects who are in the EU and
2. whether it relates to the offering of goods or services or to the monitoring of data subject’s behavior in the EU.

1. Data subjects in the EU

The EDPB reminds that this criteria is not limited by citizenship, residence or other type of legal status. This criterion must be assessed at the moment when the relevant trigger activity takes place (i.e. moment of offering goods or services or the moment when the behaviour is being monitored, regardless of the duration of the offer). The EDPB however also reminds that the processing alone is not sufficient, the controller or processor must also target individuals in the EU.

These 2 examples provided in the Guideline 3/2018 helps to clarify the distinction:

Example GDPR is applicable

A start-up established in the USA, without any business presence or establishment in the EU, provides a city-mapping application for tourists. The application processes personal data concerning the location of customers using the app (the data subjects) once they start using the application in the city they visit, in order to offer targeted advertisement for places to visits, restaurant, bars and hotels. The application is available for tourists while they visit New York, San Francisco, Toronto, London, Paris and Rome. The US start-up, via its city mapping application, is offering services to individuals in the Union (specifically in London, Paris and Rome). The processing of the EU-located data subjects’ personal data in connection with the offering of the service falls within the scope of the GDPR as per Article 3(2).

Example GDPR is not applicable

A bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of the personal data of its German customers is not subject to the GDPR.

1. Offering of goods and services

The Guideline 3/2018 referred once more to EU law and Case law where the concept of these terms have already been defined and reminding that the payment by the data subject for the offered goods or services is not a criteria to fall within the territorial scope of GDPR.

The Guideline 3/2018 then mentions that ECJ Case Law Pammer v Reederei Karl Schlüter GmbH & Co and Hotel Alpenhof v Heller (Case Law on the interpretation of the Brussel I Regulation which clarifies when a trader is directing his activity towards the Member State of the consumer’s domicile) might be of assistance to determine whether goods or services are offered to a data subject in the EU. The Guideline provides a non-exclusive list of factors that may be taken into consideration:

– The EU or at least one Member State is designated by name with reference to the good or service offered;

– The data controller or processor pays a search engine operator for an internet referencing service in order to facilitate access to its site by consumers in the Union; or the controller or processor has launched marketing and  advertisement campaigns directed at an EU country audience

– The international nature of the activity at issue, such as certain tourist activities;

– The mention of dedicated addresses or phone numbers to be reached from an EU country

– The use of a top-level domain name other than that of the third country in which the controller or processor is established, for example “.de”, or the use of neutral top-level domain names such as “.eu”;

– The description of travel instructions from one or more other EU Member States to the place where the service is provided;

– The mention of an international clientele composed of customers domiciled in various EU Member States, in particular by presentation of accounts written by such customers;

– The use of a language or a currency other than that generally used in the trader’s country, especially a language or currency of one or more EU Member states;

– The data controller offers the delivery of goods in EU Member States.

The following examples provided by the Guideline 3/2018 clarify when goods or services are offered to EU data subjects in a manner that renders GDPR applicable or not:

Example GDPR is applicable

A website, based and managed in Turkey, offers services for the creation, edition, printing and shipping of personalised family photo albums. The website is available in English, French, Dutch and German and payments can be made in Euros or Sterling. The website indicates that photo albums can only be delivered by post mail in the UK, France, Benelux countries and Germany. In this case, it is clear that the creation, editing and printing of personalised family photo albums constitute a service within the meaning of EU law. The fact that the website is available in four languages of the EU and that photo albums can be delivered by post in six EU Member States demonstrates that there is an intention on the part of the Turkish website to offer its services to individuals in the Union. As a consequence, it is clear that the processing carried out by the Turkish website, as a data controller, relates to the offering of a service to data subjects in the Union and is therefore subject to the obligations and provisions of the GDPR, as per its Article 3(2)(a). In accordance with Article 27, the data controller will have to designate a representative in the Union.

Example GDPR is not applicable

A private company based in Monaco processes personal data of its employees for the purposes of salary payment. A large number of the company’s employees are French and Italian residents. In this case, while the processing carried out by the company relates to data subjects in France and Italy, it does not takes place in the context of an offer of goods or services. Indeed human resources management, including salary payment by a third-country company cannot be considered as an offer 17 Adopted of service within the meaning of Art 3(2)a. The processing at stake does not relate to the offer of goods or services to data subjects in the Union (nor to the monitoring of behaviour) and, as a consequence, is not subject to the provisions of the GDPR, as per Article 3. This assessment is without prejudice to the applicable law of the third country concerned

• Monitoring of data subject’s behaviour

The Guideline clarifies that behavioural monitoring can be undertaken not only through the internet (as suggested by Recital 24 GDPR), but also other types of network or technology (e.g.. wearable and other smart devices). Other than for offering of goods and services, monitoring does not require an “intention to target” to trigger the application of the GDPR, it is sufficient that the controller has a specific purpose in mind for the collection and subsequent reuse of the relevant data.

The mere collection of data is not automatically considered as monitoring. The purpose of the processing needs to be considered (e.g. the subsequent behavioural analysis or profiling techniques).

Monitoring activities include, among others:

– Behavioural advertisement

– Geo-localisation activities, in particular for marketing purposes

– Online tracking through the use of cookies or other tracking techniques such as fingerprinting

– Personalised diet and health analytics services online – CCTV – Market surveys and other behavioural studies based on individual profiles

– Monitoring or regular reporting on an individual’s health status

• Representatives of controllers or processors not in the EU

If a data controller or processor is subject to the GDPR, he shall designate a representative in the EU. The EDPB clarified that this provision was not entirely new and already existing under the previous Directive 95/46/EC.

It is also clarified that the designation of an EU representative will not be considered as an “establishment” by virtue of article 3(1) GDPR.

The written mandate given to the EU representative will typically be a service contract concluded with an individual or an organization (e.g. law firms, consultancies, private companies etc…) provided that these individuals / organizations are established in the EU. If the representative is a company or any other type of organization, it is recommended that a lead person (person in charge) within the company / organization is appointed.

The EDPB also confirmed that, in their view, the role of EU representative is not compatible with the external data protection officer (DPO).

The Guideline 3/2018 also clarifies the obligations and responsibilities of the EU representative.

While not itself responsible for complying with data subject rights, the legal representative must facilitate the communication between data subjects and the controller or processor represented, in order to make the exercise of data subjects’ rights effective. The EDPB further considers that the maintenance of a record of processing activities is a joint obligation of the controller and the processor and that if they are not established in the EU, they must provide to the representative with all accurate and updated information so that the record can be maintained and made available by the representative.

The EU representative should also perform its tasks according to the mandate received from the controller or processor, including cooperating with the competent supervisory authorities with regard to any action taken to ensure compliance with this Regulation. In practice, this means that a supervisory authority would contact the representative in connection with any matter relating to the compliance obligations of a controller or processor established outside the Union, and the representative shall be able to facilitate any informational or procedural exchange between a requesting supervisory authority and a controller or processor established outside the Union.

With the help of a team if necessary, the representative in the Union must therefore be in a position to efficiently communicate with data subjects and cooperate with the supervisory authorities concerned. This means that this communication must take place in the language or languages used by the supervisory authorities and the data subjects concerned. The availability of a representative is therefore essential in order to ensure that data subjects and supervisory authorities will be able to establish contact easily with the non-EU controller or processor.

It should however be noted that the concept of the representative was introduced precisely with the aim of ensuring enforcement of the GDPR against controllers or processors that fall under Article 3(2) of the GDPR. To this end, it was the intention to enable enforcers to initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable.

• Conclusion

The Guideline 3/2018 provides useful insight on the scope of GDPR to controllers and processors outside the EU and the role of the EU representative. Unfortunately, the Guideline 3/2018 (in its current draft form) does not provide any further specifications on the responsibility of a controller or processor that falls within the scope of GDPR, but does not comply with it and how such third country controller / processor will be sanctioned. Hopefully there will be some further clarification on this point in the final version of Guideline 3/2018.  Indeed, the draft version is still subject to comments from the public until 18 January 2019. Thereafter, a final version of the Guideline 3/2018 will be published.

As of 17 July 2018, Japan and the EU have reached a preliminary [Adequacy] agreement regarding future free-flow of personal data between the two countries.  This situation represents a significant practical test with regard to country-to-country data sharing agreements in light of the Regulation (EU) 2016/679  (the ‘General Data Protection Regulation’ [hereafter “GDPR”]) applicable since 25 May 2018, and could thus be seen as an active barometer with regard to the ‘vetting’ process of other states’ protection mechanisms.

Overall, the news could be seen as both a relief and somewhat anti-climactic for those interested – and if you own or operate a business outside the EU with dealings inside the EU, you most likely at least have a cursory interest – as Japan’s domestic protections were largely seen to have parallel, equivalent or, in the terms of the finding – ‘adequate’ protections.  This thus leaves the future of decision’s formal adoption (expected later this year) in the hands of Japan; as such, they are expected to implement some relatively minor, additional safeguards necessary to meet EU data protection standards during this period.

The Foundations of the GDPR Adequacy Decisions

The decision, however, does reveal some of the criteria the European Commission (hereafter ‘The Commission’) will use in determining a third country’s ability to comply.  Under Article 45 GDPR, the Commission has the power to determine […] whether a country outside the EU offers an adequate level of data protection, whether by its domestic legislation or of the international commitments it has entered into.  The process attached to Article 45 – perhaps simply due to the sheer importance/immensity of the regulation itself with regard to its effect on other states’ adaptation of legislation to correspond to EU rules – is not ‘one size fits all’.  In general, however, the procedure runs on the following lines:

1. a proposal from the European Commission
2. an opinion of the of the European Data Protection Board
3. an approval from representatives of EU countries
4. the adoption of the decision by the European Commissioners

The Commission has the right to amend, withdraw and maintain any decision on the grounds that it doesn’t exceed the implementing powers provided for in the regulation – mostly relevant to periods of review, identification of domestic advancements, supervising authorities and other minutiae.  In any case, we can see The EU’s agreement with Japan is currently in between steps three and four.

How This Fits with the Japan Decision

This is where the importance of the current agreement with Japan comes in.  The EU already has reciprocal agreements with a number of countries (Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the United States of America (limited to the Privacy Shield framework) as providing adequate protection); however, these were underwritten as part of the preceding regulation (i.e. Directive 95/46/EC) and – while being seen as desirous of maintenance by both the EU and foreign governments – have been seen as being at risk of either revision or revocation under GDPR.  In 2015, the European Court of Justice ruled the EU ‘safe harbour’ deal with the United States to be illegal.  The agreement with Japan could therefore be seen as the first under the auspices of the current, ‘more certain’ rules (As stated by Bruno Gencarelli, the head of a unit on data protection at the Commission’s justice department, via https://www.euractiv.com/section/data-protection/news/commission-conducting-review-of-all-foreign-data-transfer-deals/).

This timely review is not by coincidence; the same day, the two countries signed the complementary EU-Japan Economic Partnership Agreement.   The raft of new legislation has resulted in the relatively pressing need for robust (and therefore complex) oversight to ensure well over half a billion consumers have standardised protection of their private data.  Further, the uptake of the agreement represents the world’s largest area of ‘safe’ data transfer based on GDPR rules, as well as the first time the EU and a third country have agreed on a reciprocal recognition of the necessary criteria for an ‘adequate level’ of data protection.

Key Elements of the Japan Agreement

Data protection in Japan is largely governed by three Acts: The Act on the Protection of Personal Information (“APPI”);  The Act on the Protection of Personal Information Held by Administrative Organs (“APPIHAO”); and the Act on the Protection of Personal Information Held by Incorporated Administrative Agencies, etc. (“APPI-IAA”).  The APPI is of primary interest to the current agreement, which by itself is limited to the protection of personal information by ‘Personal Information Handling Business Operators’.  In any case, contemporary reforms have resulted in legislation which operates at relative parity, this with some small (yet noteworthy) differences (e.g. what constitutes personal data as part of a ‘personal information database’, rules regarding retention periods and methods of data transmission).  Under the agreement, however, GDPR rules will apply whenever processing the data of EU citizens, this rather that the domestic APPI counterpart.

In addition, The Japanese government has adopted the following extra safeguards under the Adequacy Agreement:

• Applied GDPR conditions under which EU data can be further transferred from Japan to another third country, access to individual rights and complaints/access to rectification. These rules will be binding on Japanese companies importing data from the EU and enforceable by both the Japanese courts and independent data protection authority (“PPC”)
• A complaint-handling mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. This new mechanism will be administered and supervised by the PPC
• Enhanced safeguards concerning the access of Japanese public authorities for criminal law enforcement and national security purposes, ensuring that any such use of personal data would be limited to what is necessary, proportionate and subject to independent oversight and effective redress mechanisms

What this Means for Other Regional Arrangements (and Their Businesses)

Obviously the agreement is meant to support international trade, this while promoting the high standards demanded by both EU and Japanese citizens.  It, further, represents a successful foray into the application of complex, enhanced GDPR rules with another country’s legislative milieu in mind.  This is probably where foreign businesses should probably start taking notice.

Even in comparison to Japanese legislation, GDPR rules comprise the most restrictive data protection mechanisms to date.  Where EU citizens’ data is concerned, the Japanese government – representing what already constitutes a sizable piece of the global trade pie – has agreed to apply GDPR rules within its borders to ensure this partnership will not be compromised.  It would therefore follow that other countries – including those who had previous arrangements under the previous Directive – will most likely follow suit rather than risk their access to the European market.  This could result in the formation of oversight mechanisms (such as Japan’s PPC) to ensure GDPR rules are applied, as well as enforcement within respective, domestic court systems.

This also means that other Asian countries – particularly at the state/administrative level – should expect protracted engagements with the EU in order to apprehend how their respective systems align with GDPR interests.  The next step is, most likely, to see how Korea’s application for Partial Adequacy arrangements in correlation to that country’s Personal information Protection Act – which arguably already shares many similarities with the GDPR – will play out later this year.

And China?

These agreements will most likely reflect some of the difficulties China may expect in teasing out its own partnership with the European bloc.  China’s progress in data protection has already mirrored the advent of the GDPR in some fashions, with the nation’s Cybersecurity Law (“CSL”) seeing passage of November 2016, the same year as the GDPR’s passage in Europe.  Indeed, some facets of the legislation are nearly verbatim – such as the definition of personal data (e.g. Any information Relating to An identified or identifiable Natural person, Applied via Article 76.5 of the CSL), this as well as significant sanctions in response to a breach.  That being said, there are substantial – and perhaps inherently problematic – differences between the EU and Chinese legislative umbrella with regard to data protection.

The GDPR, of course, makes its extraterritoriality an explicit aspect of the regulatory function; China’s focus on integrating the cybersecurity and data protection functions naturally allows that the focus of protection is strictly limited to the PRC.  Chinese businesses would therefore need to apply both the GDPR and CSL standards in cases where data is being transferred between the two entities.

There may, however, be some instances wherein compliance between the two would be not reasonably forthcoming, particularly in light of Chinese understanding of data deletion and the right to be forgotten – which would only be available if the data controller has breached the law or an agreement with the data subject.  There are also enduring concerns as to how privacy would interact with the state’s much-maligned Social Credit system – which would naturally hold data at the national level, this for purposes obviously not appreciated in the GDPR – not to mention how exemptions provided to corporations with regard to data processing and consent may be adaptable, if at all.

In addition, there is real concern that businesses may again be largely unprepared for the inevitable, and that this intransigence could be endemic – relative to the lack of understanding of how the CSL will be implemented/enforced in light of other elements of their legislative umbrella.  There are still significant portions of the system have difficulty connecting implementation with the ambition of Chinese data protection regulations, and as such Chinese companies are currently lagging behind peers from most Western nations, and in particular the US.

Conclusions

While the GDPR looms large with regard to Western businesses’ data protection frameworks, prior to the probable uptake of Japan’s adequacy arrangements, New Zealand represented the only Asia-Pacific country able to share data freely between its companies and EU counterparts.  Many regional players – such as Thailand and Indonesia – have seen efforts at modernising data protection efforts largely unrealised to this point; indeed, even nations with leveraged interests in EU businesses – such as Singapore, who won’t even table proposed revisions to its parliament until 2019 – may be falling behind at the state level.

This will leave Asian, EU-partnered businesses unable to rely on domestic legislative guidance on how to proceed with regard to the GDPR, and distressingly unprepared for the well-publicised, hefty fines that result from a breach.  Japan’s success in meeting the GDPR will hopefully global enforcement on data protection.

Under GDPR, there are essentially 3 possibilities to transfer data to a country outside of the European Union (hereafter a “third country”):

• The EU Commission has adopted an adequacy decision recognizing that the third country provides a similar standard with regard to data protection as the EU (so far only Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (limited to the Privacy Shield framework))
• The data controller or processor has provided appropriate safeguards (art 46 GDPR)
• The data transfers occurs exceptionally based on a derogation foreseen by GDPR (art 49 GDPR)

Regarding the 3^rd option, the European Data Protection Board (EDPB), has adopted new Guidelines on 25 May 2018 (Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679, hereafter the “Guideline”).

Before entering into a detailed analysis of each of the possible derogations (see below), EDPB provided a few general guidelines on how to apply these derogations.

I. General comments

1. Using the exception as a last resort

The data exporter shall use a layered approach meaning it should first consider whether the third country provides an adequate level of protection.

If the level of protection is not adequate, it should consider providing appropriate safeguards within the meaning of GDPR.

Only if these 2 options cannot be fulfilled, the data exporter should consider derogations under article 49 GDPR.

2) Occasional and not repetitive transfers

EDPB provides further clarification on the terms “occasional” and “not repetitive” used within GDPR explaining that the transfers may happen more than once, but not regularly. This could mean outside the regular course of actions, for example, under random, unknown circumstances and within arbitrary time intervals.

According to the Guideline, a transfer can generally be considered to be non-occasional or repetitive when the data importer is granted direct access to a database. (e.g. via an interface to an IT application) on a general basis.

3) The transfer must be necessary

The necessity tests (required for the use of certain derogations of Article 49 GDPR) requires an evaluation by the data exporter in the EU of whether the transfer of personal data can be considered necessary for the specific purpose of the derogation used.

4) Decisions from third country authorities or Courts

GDPR clarified that decisions from third country authorities or Courts are not in themselves legitimate grounds for data transfers to third countries (Article 48 GDPR). Therefore, a transfer in response to a request by a third country authority or Court is only lawful if in line with the conditions set out by specific Chapter of GDPR in relation to transfer of personal data to third countries.

EDPB also clarified that where an international agreement exists between the country where the data exporter is located and the country where the data importer is located, such as a legal assistance treaty, EU companies should generally refuse direct requests and refer the requesting third country authority to this agreement.

II. Specific guidelines

The Guideline then clarifies the requirements for each derogation foreseen by GDPR (art 49 1) a) to g) and 49 1) §2 GDPR) i.e.:

1. In case of explicit consent by the data subject,
2. Transfer necessary for the performance of the contract between the data subject and the data controller or for the implementation of precontractual measures taken at the data subject’s request,
3. Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person,
4. Transfer is necessary for important reasons of public interest,
5. Transfer is necessary for the establishment, exercise or defense of legal claims,
6. Transfer is necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent,
7. Transfer made from a public register,
8. Transfer for compelling legitimate interest

1. Data subject’s consent

a) Explicit consent

The Guideline first reminds that GDPR only allows a transfer of data to a third country based on consent if:

• The data subject has explicitly consented to the proposed transfer and
• After having been informed of the possible risks of such transfers (due to the absence of an adequacy decision and appropriate safeguards)

With regard to “explicit consent”, EDPB refers to the Guidelines adopted by WP29 and endorsed by EDPB (WP29 Guidelines on Consent under Regulation 2016/679 (WP259), page 18 Section 4. “Obtaining explicit consent).

One of the examples given by WP29 in the Guidelines on Consent show the difference between “consent” and “explicit consent”:

A data controller may also obtain explicit consent from a visitor to its website by offering an explicit consent screen that contains Yes and No check boxes, provided that the text clearly indicates the consent, for instance “I, hereby, consent to the processing of my data”, and not for instance, “It is clear to me that my data will be processed”. It goes without saying that the conditions for informed consent as well as the other conditions for obtaining valid consent should be met.

b) Specific consent for the particular data transfer

One of the requirements for said transfer is that the valid consent is specific.

The Guideline clarifies that if consent is given by the data subject at a certain time for a specific purpose (e.g. delivery of goods), such consent will not suffice for the transfer of data to a data importer in a third country. In such case, explicit consent will need to be sought for this specific purpose.

c) Informed consent

Under GDPR, it is a general required that the consent is “informed”, meaning the data subject must receive certain information prior to giving his consent.

In addition to this general information requirements, for transfers to third countries, GDPR foresees additional information on the specific risk resulting from the fact that the data will be transferred to a country not providing adequate protection and that no adequate safeguards are in place.

One of the examples given by EDPB on such risks could be that there is no supervisory authority in said country or that data subject’s rights are not protected by specific legal provisions.

2) Transfer necessary for the performance of a contract between the data subject and the data controller

The Guideline reminds once more that, in this case also, the derogation can only take place if the transfer is necessary and only occasional.

a) Necessity

EDPB gives two concrete examples:

i) when the transfer cannot be considered as necessary

A corporate group has, for business purposes, centralized its payment and human resources management functions for all its staff in a third country. In such case, there is no direct and objective link between the performance of the employment contract and the transfer (This being said, EDPB also confirmed that standard contractual clauses or binding corporate rules would be suitable in this scenario)

ii) when the transfer can be considered as necessary

The transfer by a travel agent of personal data concerning their individual clients to hotels or other commercial partners for the organization of the client’s stay abroad.

An example given for occasional transfer is the situation if personal data of a sales manager, who in the context of his/her employment agreement travels to different clients in third countries, and his/her personal data are to be sent to those clients in order to arrange the meetings.

3) Transfer necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person

The Guideline gives an example when this derogation may not apply:

Where an organization has, for business purposes, outsourced activities such as payroll management to service providers outside the EU, this derogation will not provide a basis for data transfers for such purposes, since no close and substantial link between the transfer and a contract concluded in the data subject’s interest can be established even if the end purpose of the transfer is the management of the pay of the employee.

However, the Guideline clarifies that other transfer tools provide a more suitable basis for such transfers such as standard contractual clauses or binding corporate rules.

4) Transfer is necessary for important reasons of public interest

The Guideline reminds here the definition of “public interest” within the meaning of GDPR (and Directive 95/46/EC before) can only be interpreted in a strict way, meaning that any request by a foreign public authority shall not fall under this derogation.

The existence of an international agreement or convention (to which the EU or the Member State are a party) which recognizes a certain objective and provides for international cooperation can be an indicator when assessing the existence of such “public interest”.

The Guideline also confirms that this derogation can be relied upon by private entities and thus not only public authorities, as the essential requirement is the finding of a public interest and not the nature of the organization.

Although transfer on this basis are not limited to “occasional” transfers, the Guideline still emphasized that such transfers shall not allow large scale transfers on a systematic manner.

5) Transfer is necessary for the establishment, exercise or defense of legal claims

The Guideline gives the following examples of transfers that could fall under this derogation:

• Transfer of data for the purpose of defending oneself or for obtaining a reduction or waiver of a fine legally foreseen (e.g. anti-trust investigation),
• Formal pre-trial discovery procedures in civil litigation,
• Actions by the data exporter to institute procedures in a third country (e.g. commencing litigation or seeking approval for a merger)

The derogation shall not be used of the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.

While the Guideline clarifies that the procedure must have a legal basis, it is not limited to judicial or administrative procedures, but may cover out of court procedures.

6) Transfer necessary in order to protect the vital interest of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent

The Guideline clarifies that this derogation is meant for medical urgency matters.

The given example is that it must be legally possible to transfer data if the data subject, whilst outside the EU, is unconscious and in need of urgent medical care, and only an exporter (e.g. his usual doctor), established in the EU, is capable of providing the data.

The derogation cannot be used, according to the Guideline, to justify transferring personal medical data outside the EU if the purpose of the transfer is not to treat the particular case of the data subject or that of another person, but for example, to carry out general medical research that will not yield immediate results.

The incapability criteria can be physical, mental or legal (e.g. in case of a minor).

7)  Transfers made from a public register

The Guideline refers to a general definition of register as a “(written) record containing regular entries of items or details” or as “an official list or record of names or items”.

Since the register must necessarily be public (private registers are excluded), they shall be open to consultation either:

• The public in general or
• Any person who can demonstrate a legitimate interest

These could be: registers of companies, registers of associations, register of criminal convictions, (land) title registers or public vehicle registers (provided the legal requirements for the consultation of said registers under local law are fulfilled).

Transfers can only be made at the request of persons with a legitimate interest and by taking into account the data subject interests and fundamental rights.

8) Transfer for compelling legitimate interest

The Guideline clarifies that this new derogation only applies if no other derogation can be used (i.e. no adequacy decision, no appropriate safeguards, but also no other derogation under Article 49 1) a) to g). The data exporter must be able to prove that none of these derogations could apply.

The data shall also be “not repetitive” and limited to a certain number of data subject (although an absolute threshold has not been set as it will depend on the context).

As regards the term “compelling legitimate interest”, it should not be confused with the definition of “legitimate interest (Art 6 1) f) GDPR).

The only example given by the Guideline is for a data controller who is compelled to transfer the personal data in order to protect its organization or systems from serious immediate harm or from a severe penalty which would seriously affect its business.

Once the “compelling legitimate interest” has been identified, the data controller shall nevertheless proceed to a balancing test between said compelling legitimate interest and the interest or rights and freedoms of the data subject. Based on this assessment, the data controller shall provide “suitable safeguards” regarding the protection of the data transferred.

The Guideline emphasized that any possible damage needs to be taken into consideration (e.g. physical, material, but also non-material e.g. relating to a loss of reputation).

The transfer under this derogation entails the information to the supervisory authority although it has been clarified that the transfer does not need to be authorized by the supervisory authority.