Article 46 of GDPR: Transfers Subject To Appropriate Safeguards
Article 46 of GDPR provides for the mechanism to transfer personal data to an organization within a third country that is not subject to an adequacy decision.
Any transfer to an ‘unsafe’ third country must follow the requirements of GDPR.
Transfer authorized based on appropriate safeguards (Article 46(1) GDPR)
Data controllers and data processors can only transfer personal data to organizations in third countries without an adequacy decision conditional on the fact that:
- the controller or processor provides an appropriate level of safeguards
- The data subject rights remain enforceable
- The data subject legal remedies remain available
Transfers not requiring prior approval (Article 46(2) GDPR)
An organization can transfer personal data without the prior approval of the supervisory authority by applying any of the following measures:
- Implementing a legally binding and enforceable contract between public authorities and bodies (Article 46(2)(a) GDPR)
- Based on binding corporate rules (Article 46(2)(b) GDPR)
- Baked on standard data protection clauses adopted by the Commission (Article 46(2)(c) GDPR)
- Based on standard data protection clauses adopted by the supervisory authority and approved by the Commission (Article 46(2)(d) GDPR)
- A company adheres to an approved code of conduct and has entered into a binding and enforceable commitment to apply the appropriate safeguards to personal data (Article 46(2)(e) GDPR)
- A company has a GDPR certification and has entered into a binding and enforceable commitment to apply the appropriate safeguards to personal data (Article 46(2)(f) GDPR)
Transfers subject to prior approval (Article 46(3) GDPR)
Subject to the authorization of the supervisory authority, personal data can be transferred in the following scenarios:
- Based on contractual clauses between the data controller or process and the organization in the third country (Article 46(3)(a) GDPR)
- Based on provisions inserted into the administrative arrangements between the public authorities or bodies that include individual data protection rights (Article 46(3)(b) GDPR)
Consistency mechanism (Article 46(4) GDPR)
GDPR allows the supervisory authority to apply the consistency mechanism with respect to Article 46(3).
Decisions based on Directive 95/46/EC (Article 46(5) GDPR)
Decisions or authorizations issued based on Directive 95/46/EC will remain valid until they are replaced, repealed or amended.
Recitals applicable to Article 46 of GDPR
Relevant Recitals: 108, 109
GDPR Regulation article-by-article overview
Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.
Cited Legislation in Article 46 or relevant recitals
GDPR Text: Article 46 of GDPR and Relevant Recitals
GDPR Text Source: EUR-Lex
Official GDPR Text: General Data Protection Regulation
Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)