3 minute read
3.5 Derogations
○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain the advantages and risks that you foresee for allowing accreditation of non-UK bodies.
Advertisement
Q3.4.4. Are there any other changes to certifications that would improve them as an international transfer tool?
3.5 Derogations
Explanatory box: What are derogations?
The derogations described in Article 49 of the UK GDPR are exceptions from the general rule that you should not make a restricted personal data transfer unless it is covered either by a UK adequacy regulation, or there are appropriate safeguards in place. The use of derogations is the final mechanism available to organisations for transferring data internationally. Derogations can only be used in very limited circumstances and under specific conditions, where adequacy and alternative transfer mechanisms are unavailable.
Before considering derogations, organisations must first identify whether or not the recipient country is adequate, or whether appropriate safeguards can be used. If these mechanisms are not available, then the derogations can be considered. The available derogations are for situations where:
● the data subject has given explicit consent for the proposed transfer after having been informed of the possible risks
● the transfer is necessary for the performance of a contract between the data subject and the controller, or pre-contractual measures taken at the data subject’s request
● the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person
● the transfer is necessary for important reasons of public interest
● the transfer is necessary for the establishment, exercise or defence of legal claims;
● the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent
● the transfer is made from a register which according to domestic law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by domestic law for consultation are fulfilled in the particular case
If none of the derogations apply, organisations can consider one final option, referred to as ‘compelling legitimate interest’. The use of this derogation is even more severely constrained than the other options. It can only be employed in circumstances where the transfer is not repetitive, the data only relates to a limited number of individuals and the transfer must be necessary for an organisation’s compelling legitimate interest. To assess whether it can be used, organisations must balance their compelling legitimate interests against the impact on the rights and freedoms of the individuals the data relates to. Suitable additional safeguards like strict confidentiality agreements or additional technical controls should be used wherever possible. The details of how this transfer has been carried out must be recorded and both the data subjects and the ICO must be informed of the transfer.
269. The government proposes to maintain the existing overarching approach to derogations: they should be used only in situations where they are necessary and where neither adequacy nor other safeguards are appropriate. However, despite the strict conditions, there are still situations where derogations may be appropriate and a technical change may clarify the restrictions on using derogations.
Repetitive use of derogations
270. The government proposes establishing a proportionate increase in flexibility for use of derogations by making explicit that repetitive use of derogations is permitted. Repetitive use of derogations is currently restricted by the UK GDPR recitals and in European Union regulatory guidance.83 This permission will apply to all of the derogations except the derogation for compelling legitimate interests. Making explicit that repetitive use of derogations is permitted will provide flexibility and assurance for organisations that need to rely on them in certain limited but necessary situations.
The government welcomes views on the following question:
Q3.5.1. To what extent do you agree that the proposal described in paragraph 270 represents a proportionate increase in flexibility that will benefit UK organisations without unduly undermining data protection standards? ○ Strongly agree ○ Somewhat agree ○ Neither agree nor disagree ○ Somewhat disagree ○ Strongly disagree
Please explain your answer, and provide supporting evidence where possible.
