Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place. When neither of these exist then an organisation needs to look at possible derogations or to halt the data transfer.
A derogation is an exception specified within the regulation for transferring data internationally without adhering to one of the safeguards. They are limited in what they allow and will be used only on rare occasions and you must be able to demonstrate a compelling legitimate interest. A derogation applies when:
- The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
- The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
- The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
- The transfer is necessary for important reasons of public interest.
- The transfer is necessary for the establishment, exercise or defence of legal claims.
- The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
- The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.
Finally, an exception is available where the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller and the controller has assessed all the circumstances surrounding the data transfer.