(c)
the international commitments the third country or international organisation concerned has
entered into, or other obligations arising from legally binding conventions or instruments as well
as from its participation in multilateral or regional systems, in particular in relation to the
protection of personal data.
3.
The Commission, after assessing the adequacy of the level of protection, may decide, by means
of implementing act, that a third country, a territory or one or more specified sectors within a third
country, or an international organisation ensures an adequate level of protection within the meaning of
paragraph 2 of this Article. The implementing act shall provide for a mechanism for a periodic review,
at least every four years, which shall take into account all relevant developments in the third country or
international organisation. The implementing act shall specify its territorial and sectoral application
and, where applicable, identify the supervisory authority or authorities referred to in point (b) of
paragraph 2 of this Article. The implementing act shall be adopted in accordance with the examination
procedure referred to in Article 93(2).’
14
Article 46 of the GDPR, under the heading ‘Transfers subject to appropriate safeguards’, provides, in
paragraphs 1 to 3:
‘1.
In the absence of a decision pursuant to Article 45(3), a controller or processor may transfer
personal data to a third country or an international organisation only if the controller or processor has
provided appropriate safeguards, and on condition that enforceable data subject rights and effective
legal remedies for data subjects are available.
2.
The appropriate safeguards referred to in paragraph 1 may be provided for, without requiring any
specific authorisation from a supervisory authority, by:
(a)
a legally binding and enforceable instrument between public authorities or bodies;
(b)
binding corporate rules in accordance with Article 47;
(c)
standard data protection clauses adopted by the Commission in accordance with the examination
procedure referred to in Article 93(2);
(d)
standard data protection clauses adopted by a supervisory authority and approved by the
Commission pursuant to the examination procedure referred to in Article 93(2);
(e)
an approved code of conduct pursuant to Article 40 together with binding and enforceable
commitments of the controller or processor in the third country to apply the appropriate
safeguards, including as regards data subjects’ rights; or
(f)
an approved certification mechanism pursuant to Article 42 together with binding and
enforceable commitments of the controller or processor in the third country to apply the
appropriate safeguards, including as regards data subjects’ rights.
3.
Subject to the authorisation from the competent supervisory authority, the appropriate safeguards
referred to in paragraph 1 may also be provided for, in particular, by:
15
(a)
contractual clauses between the controller or processor and the controller, processor or the
recipient of the personal data in the third country or international organisation; or
(b)
provisions to be inserted into administrative arrangements between public authorities or bodies
which include enforceable and effective data subject rights.’
Article 49 of the GDPR, under the heading ‘Derogations for specific situations’, states:
‘1.
In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards
pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data
to a third country or an international organisation shall take place only on one of the following
conditions: