Article 49 GDPR (Derogations For Specific Situations)

Article 49 of GDPR: Transfer of data authorized for specific situations

Article 49 of GDPR establishes the rules with respect to the transfer of personal data to a third country in the absence of an adequacy decision or appropriate safeguards.

The appropriate safeguards are:

  1. Implementing a legally binding and enforceable contract between public authorities and bodies 
  2. Based on binding corporate rules
  3. Baked on standard data protection clauses adopted by the Commission 
  4. Based on standard data protection clauses adopted by the supervisory authority and approved by the Commission 
  5. A company adheres to an approved code of conduct and has entered into a binding and enforceable commitment to apply the appropriate safeguards to personal data
  6. A company has a GDPR certification and has entered into a binding and enforceable commitment to apply the appropriate safeguards to personal data 

Conditions to transfer personal data to a third country (Article 49(1) GDPR)

If an organization intends to transfer personal data to a third country not considered to be an adequate country by the Commission or if appropriate safeguards are not offered, then it can only transfer the data based on one the following conditions:

  1. The data subject has given his or her explicit consent after being informed of the transfer and associated risks (Article 49(1)(a) GDPR)
  2. The transfer is necessary for the performance of a contract or pre-contractual measures (Article 49(1)(b) GDPR)
  3. The transfer is necessary for the conclusion of a contract or performance of a contract in the interest of the data subject (Article 49(1)(c) GDPR)
  4. The transfer is necessary for the interest of the public (Article 49(1)(d) GDPR)
  5. The transfer is necessary for the establishment, exercise or defence of a legal claim (Article 49(1)(e) GDPR)
  6. The transfer is necessary to protect the vital interest of the data subject or another person (Article 49(1)(f) GDPR)
  7. The transfer is made from a register intended to provide information to the public and is open for consultation (Article 49(1)(g) GDPR)

If a data controller or data processor cannot perform a transfer to a country with an adequacy decision or having established an appropriate level of safeguard and none of the conditions of in Article 49(1) apply, then a transfer can only be done in the following scenario:

  1. The transfer is not repetitive
  2. Affects only a limited number of individuals
  3. Is necessary for the legitimate interest of the organization more so than the rights and freedoms of the individuals 
  4. The organization has assessed the overall nature of the data transfer
  5. The organization considers it has sufficient safeguards in place

In such a case, the transfer can be made and the data controller must inform the supervisory authority.

Data transfer from a register (Article 49(2) GDPR)

Where the personal data transfer is made from a register, then organizations are not authorized to transfer the entire set of personal data or entire categories of personal data contained in the register.

If individuals having a legitimate interest to consult the register request to do so so, then the register should be made available upon demand.

Non-application to public authorities (Article 49(3) GDPR)

The provisions of Article 49 of GDPR will not apply to public authorities conducting their activities and exercising their powers.

The public interest (Article 49(4) GDPR)

The notion of public interest for the purpose of this Article 49 is with respect to the interest recognized by the European Union laws or the law of the concerned European country.

Restrictions set by European Union member countries (Article 49(5) GDPR)

If personal data is intended to be transferred to a country that is not subject to an adequacy decision, each European Union member country can set limits or restrictions to the transfer of categories of personal data.

If such limits are set, the EU member country should notify the Commission to that effect.

Record-keeping of safeguard assessment (Article 49(6) GDPR)

If a company performs an assessment of having sufficient safeguards to transfer personal data to a third country based on the provision of Article 49(1), it has the duty to keep the assessment in its records further to its record-keeping obligations.

Recitals applicable to Article 49 of GDPR

Relevant Recitals: 111, 112, 113, 114, 115

GDPR Regulation article-by-article overview

Read our comprehensive overview of the GDPR Regulation, article by article, where we summarize each of the 99 articles contained in GDPR to give you a complete understanding of its content.

Cited Legislation in Article 49 or relevant recitals


GDPR Text: Article 49 of GDPR and Relevant Recitals

GDPR Text Source: EUR-Lex

Official GDPR Text: General Data Protection Regulation 

Official GDPR Title: REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), corrected by Corrigendum, OJL 127, 23.5.2018, p. 2 ((EU) 2016/679)