Relying on the Article 49 derogations
Where there is neither adequacy nor appropriate safeguards, a transfer may still rely on an Article 49 derogation. The EDPB says these must be interpreted restrictively and used as a last resort. They include explicit consent, contract necessity, substantial public interest, legal claims, vital interests, public registers, and the narrow compelling legitimate interests gateway. Public authorities cannot rely on the consent derogation for their public powers.
The EDPB confirmed the must be interpreted restrictively and only relied on as a last resort, when neither adequacy nor appropriate safeguards is possible. Some jurisdictions require notifying the regulator when a derogation is used.
| Derogation | Key condition / example |
|---|---|
| Explicit consent | Specific, informed, and explicit; the individual must be told of the risks from the absence of adequacy/safeguards. Public authorities cannot use this in exercise of their public powers (Art 49(3)) |
| Contract performance | Transfer necessary to perform/conclude a contract with the individual, or a pre-contractual step at their request; or a contract in the individual's interest with a third party |
| Substantial public interest | E.g. crime prevention/detection, national security, tax collection |
| Legal claims | Necessary for establishing, exercising or defending legal claims |
| Vital interests | Life-or-death matters, e.g. transferring medical records of someone seriously ill or injured abroad |
| Public registers | Extracts from a public register (directors, shareholders) - not the whole register; access conditions must be honoured |
| Compelling legitimate interests | Last resort: not repetitive, limited number of data subjects, suitable safeguards assessed, and the SA and data subject informed |
If a holiday is booked via an EEA travel agent, sending booking details to the foreign hotel is necessary to perform the contract. But moving the whole customer database abroad for cost-cutting is not necessary - necessity depends on the goods/services, not how the exporter structures its operations.