International Transfer Derogations

Safeguards | ProvePrivacy | Article Image 20


An International Transfer Derogation is an exception specified within the regulation for transferring data internationally without adhering to one of the safeguards.  Performing an international data transfer requires either the receiving country to be deemed adequate or appropriate safeguards to be in place.  When neither of these exist then an organisation needs to look at possible derogations or to halt the data transfer.

International Transfer Derogations are limited in what they allow and will be used only on rare occasions and you must be able to demonstrate a compelling legitimate interest. A derogation applies when:

  • The data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards.
  • The transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.
  • The transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person.
  • The transfer is necessary for important reasons of public interest.
  • The transfer is necessary for the establishment, exercise or defence of legal claims.
  • The transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent.
  • The transfer is made from a register that, according to EU or member state law, is intended to provide information to the public and that is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down in Union or Member State law for consultation are fulfilled in the particular case.

Finally, an exception is available where the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller and the controller has assessed all the circumstances surrounding the data transfer.

How can ProvePrivacy Help?

Whilst this may appear to be a complex subject, ProvePrivacy helps to guide the Data Champion in understanding what safeguards can be applied through it’s dynamic activity workflows.

Manage personal data and privacy risks

Suggested reading

You might also like

Scroll to Top

Contact us

If you would like to ask more questions or to arrange training, complete the form below and we will respond shortly.

See our Privacy Statement for more details.

Get expert tips and business insights