Exception 8: You make a single limited transfer and this is in your legitimate interest. For example, registers of companies, associations, criminal convictions, land registers or public vehicle registries. The entire registry cannot be transferred, nor can entire categories of personal data. 1.1.4 “Data protection laws” are EU data protection laws and, where appropriate, data protection or data protection legislation from another country; Article 29 (Working Group), made up of EU supervisory authorities, has published specific guidelines to help multinational companies ensure that the rules contain essential data protection principles, as well as effective and binding mechanisms needed to ensure an adequate level of data protection. If you make a limited transfer that is not covered by a matching decision or adequate protection, you can only make that transfer if it is covered by one of the “exceptions” under section 49 of the RGPD. Respect for data transmission remains an important issue for organizations whose activities include the transfer of personal data to a third country. Given the seriousness of sanctions for breaches of data protection rules (up to 20 million euros, or 4% of global annual turnover), it is essential to prepare for the adoption of the transfer mechanism. This is why, first of all, it is necessary to identify processes involving data transfers from non-EU products. In the absence of a ad hoc decision, organizations should consider and provide appropriate safeguards (standard contractual clauses or BDRs).
The comfort of certification systems and codes of conduct as possible transmission mechanisms should not be underestimated. At the same time, exemptions in exceptional circumstances are only possible if appropriate safeguards are taken. Exception 1. Did the person give explicit consent to the restricted transfer? When personal data is transferred or accessed outside the EEA, the transfer agreement between the parties must not only take into account the legality of the transfer, but must also take into account the processing of personal data in general and take into account all related PDMP requirements. For example, for data exports to a processor or subcontractor, the RGPD sets out detailed requirements that an agreement must include in addition to dealing with transmission. The requirement to include mandatory information in transfer agreements is a significant change made by the RGPD. There are two sets of standard contractual clauses for limited transfers between a controller and a controller and two sets between a controller and a processor.