Derogations for specific situations

Article 49 of the General Data Protection Regulation provides for derogations for specific situations. They are a last-resort basis for data transfer, only applicable in exceptional cases.

The transfer of data should primarily be based on a Commission decision on a sufficient level of data protection or the appropriate safeguards provided for in Article 46 of the GDPR. In other words, the controller should primarily seek to use appropriate safeguards as the transfer basis. Derogations for specific situations should only be used when appropriate safeguards cannot be applied. Because Article 49 is intended for exceptional circumstances, it must be given a narrow interpretation to avoid making the exception the rule.

Aspects such as the following shall be taken into account when considering the application of this basis for transfer:

  • the necessity of the transfer (Article 49(1), points (b), (c), (d), and (f))
  • occasional nature (for application without a contractual basis: Article 49(1), points (b) and (c));
  • possibly applicable international or other treaties; and
  • the rights of the data subjects (Article 49(1), point (e)).

Derogations for specific situations (Article 49(1), GDPR)

  1. The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
  • Before asking for their consent, the controller shall notify the data subjects of

a) the recipients and groups of recipients of the personal data;

b) all countries to which personal data will be transferred;

c) the fact that their consent constitutes the legal basis for the transfer;

d) that the third country to which the data are being transferred does not offer adequate data protection based on a decision by the European Commission; and

e) the special risks caused by the transfer of data to a country that does not offer adequate data protection and by the lack of appropriate safeguards for the protection of the data.

  1. The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request.
  2. The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
  3. The transfer is necessary for important reasons of public interest.
  4. The transfer is necessary for the establishment, exercise or defence of legal claims.
  5. The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
  6. The transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.

The derogations for specific situations are also subject to special conditions described in more detail in Article 49 of the GDPR.

If none of the other exceptional bases are applicable, Article 49 offers a last-resort basis for transferring data. This requires the fulfilment of all of the conditions below:

  1. The transfer is not repetitive.
  2. It concerns only a limited number of data subjects.
  3. It is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject.
  4. The controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data.

The supervisory authority shall always be notified of such transfers.

The controller or processor shall document the assessment and suitable safeguards related to the transfer in the record of processing activities.

Additional information on the derogations is available from the European Data Protection Board's Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679 (pdf on EDPB's website).