Skip to content
AuditFront
Art.49 GDPR

GDPR Art.49: Derogations for Specific Situations

What This Control Requires

In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions: (a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards; (b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request; (c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person; (d) the transfer is necessary for important reasons of public interest; (e) the transfer is necessary for the establishment, exercise or defence of legal claims; (f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent; (g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public.

In Plain Language

Sometimes neither adequacy nor safeguards are available, and you still need to transfer data abroad. Article 49 provides a set of derogations for these specific situations - but they are exactly that: exceptions for particular circumstances, not a substitute for proper transfer mechanisms. The EDPB has been very clear that these derogations must be interpreted restrictively and should never become the routine basis for systematic or large-scale data flows.

Seven scenarios qualify: explicit consent with full risk disclosure, necessity for performing a contract with the data subject, contracts in the data subject's interest, important public interest grounds, establishment or defence of legal claims, protection of vital interests when consent is impossible, and transfers from public registers. Each has specific conditions. Consent must be genuinely explicit (not just informed), contract necessity is judged strictly (not broadly), and the public interest derogation requires the interest to be recognised in EU or Member State law.

There is also a narrow residual option in Article 49(1) second subparagraph for transfers that fit none of the above: the transfer must not be repetitive, must concern only a limited number of data subjects, must serve compelling legitimate interests, and the controller must have assessed the circumstances and provided suitable safeguards. This is genuinely a last resort, and it requires notification to the supervisory authority.

How to Implement

Before relying on any derogation, do a thorough assessment. For each transfer where adequacy and safeguards are not available, identify which derogation could apply and document specifically why adequacy and safeguards cannot be used, how the chosen derogation fits the transfer, and why the transfer is limited enough in scope to qualify.

For consent-based transfers under Article 49(1)(a), give data subjects a clear picture of the risks before they consent. Explain that the destination country may lack equivalent data protection laws and that their rights may be harder to enforce. The consent itself must be explicit (a clear affirmative act specifically about the transfer), specific to the particular transfer, freely given (not bundled into terms of service), and revocable. Document both the consent and the risk information provided.

For contract necessity under Article 49(1)(b) or (c), apply the necessity test strictly. The transfer must be objectively required for the contract, not merely convenient or cost-effective. Booking a hotel abroad for a customer clearly requires sending their details to that country. Outsourcing general customer data processing to an offshore team does not meet the necessity threshold just because it saves money.

Document everything. For each transfer relying on a derogation, record which derogation applies, the specific circumstances justifying it, why proper transfer mechanisms are not feasible, the scope and frequency of the transfer, and any additional safeguards you have put in place. Regulators will want to see this documentation, and without it your accountability case falls apart.

Do not let derogations become your default. If your transfers are ongoing, regular, or involve significant volumes, implement SCCs, BCRs, or another Article 46 mechanism. Derogations are for genuinely exceptional or occasional transfers. Using them to avoid the work of setting up proper safeguards is exactly what regulators look for - and penalise.

Evidence Your Auditor Will Request

  • Assessment documentation for each transfer relying on a derogation
  • Evidence of explicit consent with risk disclosure (for consent-based transfers)
  • Necessity assessments for contract-based transfer derogations
  • Documentation demonstrating that derogation use is genuinely exceptional and not routine
  • Notification to supervisory authority for residual-option transfers under Article 49(1) second subparagraph

Common Mistakes

  • Using Article 49 derogations as the primary basis for routine, systematic data transfers
  • Consent for transfers not meeting the 'explicit' standard or not including risk disclosure
  • Overly broad interpretation of 'necessary for contract performance' to cover routine offshore processing
  • No documentation of the assessment and justification for relying on a derogation
  • Relying on the public interest derogation without the public interest being recognised in EU or Member State law

Related Controls Across Frameworks

Framework Control ID Relationship
ISO 27001 A.5.34 Related

Frequently Asked Questions

Can we use Article 49 derogations for ongoing, regular data transfers?
In practice, no. The EDPB has consistently said these derogations are not for systematic, repetitive, or large-scale transfers. They exist for exceptional situations. If your transfers happen regularly, invest in proper Article 46 safeguards like SCCs or BCRs. Trying to run routine transfers on derogations is a red flag that will draw regulatory attention.
What risks must we disclose for consent-based transfers?
Be specific about what the absence of adequacy and safeguards means for the individual. Explain that the destination country may not have equivalent data protection laws, that their data could be subject to government access there, and that enforcing their rights may be difficult or impossible. Vague warnings are not enough - the person needs to understand concretely what they are agreeing to.
When can we use the 'compelling legitimate interests' residual option?
Only as an absolute last resort, when every other option has been exhausted. The transfer must not be repetitive, must involve a limited number of data subjects, must serve compelling (not merely legitimate) interests, and you must have assessed all circumstances and applied suitable safeguards. You also need to notify the supervisory authority. If you find yourself reaching for this provision regularly, something has gone wrong with your transfer framework.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment