Page 530 - GDPR and US States General Privacy Laws Deskbook
P. 530
third country or international organisation. For the purposes of monitoring and of carrying out the periodic reviews, the
Commission should take into consideration the views and findings of the European Parliament and of the Council as
well as of other relevant bodies and sources. The Commission should evaluate, within a reasonable time, the functioning
of the latter decisions and report any relevant findings to the Committee within the meaning of Regulation (EU) No
182/2011 of the European Parliament and of the Council11 as established under this Regulation, to the European
Parliament and to the Council.
(107) The Commission may recognise that a third country, a territory or a specified sector within a third country, or an
international organisation no longer ensures an adequate level of data protection. Consequently the transfer of personal
data to that third country or international organisation should be prohibited, unless the requirements in this Regulation
relating to transfers subject to appropriate safeguards, including binding corporate rules, and derogations for specific
situations are fulfilled. In that case, provision should be made for consultations between the Commission and such
third countries or international organisations. The Commission should, in a timely manner, inform the third country or
international organisation of the reasons and enter into consultations with it in order to remedy the situation.
(108) In the absence of an adequacy decision, the controller or processor should take measures to compensate for the lack of
data protection in a third country by way of appropriate safeguards for the data subject. Such appropriate safeguards
may consist of making use of binding corporate rules, standard data protection clauses adopted by the Commission,
standard data protection clauses adopted by a supervisory authority or contractual clauses authorised by a supervisory
authority. Those safeguards should ensure compliance with data protection requirements and the rights of the data
subjects appropriate to processing within the Union, including the availability of enforceable data subject rights and
of effective legal remedies, including to obtain effective administrative or judicial redress and to claim compensation,
in the Union or in a third country. They should relate in particular to compliance with the general principles relating to
personal data processing, the principles of data protection by design and by default. Transfers may also be carried out by
public authorities or bodies with public authorities or bodies in third countries or with international organisations with
corresponding duties or functions, including on the basis of provisions to be inserted into administrative arrangements,
such as a memorandum of understanding, providing for enforceable and effective rights for data subjects. Authorisation
by the competent supervisory authority should be obtained when the safeguards are provided for in administrative
arrangements that are not legally binding.
(109) The possibility for the controller or processor to use standard data-protection clauses adopted by the Commission or
by a supervisory authority should prevent controllers or processors neither from including the standard data-protection
clauses in a wider contract, such as a contract between the processor and another processor, nor from adding other
clauses or additional safeguards provided that they do not contradict, directly or indirectly, the standard contractual
clauses adopted by the Commission or by a supervisory authority or prejudice the fundamental rights or freedoms of
the data subjects. Controllers and processors should be encouraged to provide additional safeguards via contractual
commitments that supplement standard protection clauses.
(110) A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of
approved binding corporate rules for its international transfers from the Union to organisations within the same group
of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include
all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers
of personal data.
(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given
his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim,
regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including
11
Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles
concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
530 | Recitals (EU General Data Protection Regulation)