2.
In particular, any legislative measure referred to in paragraph 1 shall contain specific provisions
at least, where relevant, as to:
(a)
the purposes of the processing or categories of processing;
(b)
the categories of personal data;
(c)
the scope of the restrictions introduced;
(d)
the safeguards to prevent abuse or unlawful access or transfer;
(e)
the specification of the controller or categories of controllers;
(f)
the storage periods and the applicable safeguards taking into account the nature, scope and
purposes of the processing or categories of processing;
(g)
(h)
12
the risks to the rights and freedoms of data subjects; and
the right of data subjects to be informed about the restriction, unless that may be prejudicial to
the purpose of the restriction.’
Chapter V of the GDPR, under the heading ‘Transfers of personal data to third countries or
international organisations’, contains Articles 44 to 50 of that regulation. According to Article 44
thereof, under the heading ‘General principle for transfers’:
‘Any transfer of personal data which are undergoing processing or are intended for processing after
transfer to a third country or to an international organisation shall take place only if, subject to the other
provisions of this Regulation, the conditions laid down in this Chapter are complied with by the
controller and processor, including for onward transfers of personal data from the third country or an
international organisation to another third country or to another international organisation. All
provisions in this Chapter shall be applied in order to ensure that the level of protection of natural
persons guaranteed by this Regulation is not undermined.’
13
Article 45 of the GDPR, under the heading ‘Transfers on the basis of an adequacy decision’, provides,
in paragraphs 1 to 3:
‘1.
A transfer of personal data to a third country or an international organisation may take place
where the Commission has decided that the third country, a territory or one or more specified sectors
within that third country, or the international organisation in question ensures an adequate level of
protection. Such a transfer shall not require any specific authorisation.
2.
When assessing the adequacy of the level of protection, the Commission shall, in particular, take
account of the following elements:
(a)
the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both
general and sectoral, including concerning public security, defence, national security and criminal
law and the access of public authorities to personal data, as well as the implementation of such
legislation, data protection rules, professional rules and security measures, including rules for the
onward transfer of personal data to another third country or international organisation which are
complied with in that country or international organisation, case-law, as well as effective and
enforceable data subject rights and effective administrative and judicial redress for the data
subjects whose personal data are being transferred;
(b)
the existence and effective functioning of one or more independent supervisory authorities in the
third country or to which an international organisation is subject, with responsibility for ensuring
and enforcing compliance with the data protection rules, including adequate enforcement powers,
for assisting and advising the data subjects in exercising their rights and for cooperation with the
supervisory authorities of the Member States; and