§ GDPR · Article 49
GDPR Article 49: Obligations, Deadlines & Penalties
At a glance
Article 49 of the GDPR imposes 6 obligations on Member States, controller, processor.
§ Obligations
All obligations under Article 49
Obligation 1
The controller must ensure that a transfer to a third country based on compelling legitimate interests is not repetitive, concerns only a limited number of data subjects, and is necessary for purposes not overridden by the data subject's rights.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
controller
- Action required
-
ensure
- Deadline
-
—
- Penalty
-
—
Obligation 2
The controller must assess all the circumstances surrounding the data transfer and provide suitable safeguards with regard to the protection of personal data when relying on compelling legitimate interests.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
controller
- Action required
-
assess
- Deadline
-
—
- Penalty
-
—
Obligation 3
The controller shall inform the supervisory authority of the transfer when relying on compelling legitimate interests under the second subparagraph of paragraph 1.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
controller
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 4
The controller shall inform the data subject of the transfer and on the compelling legitimate interests pursued, in addition to providing the information referred to in Articles 13 and 14.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
controller
- Action required
-
inform
- Deadline
-
—
- Penalty
-
—
Obligation 5
Member States shall notify provisions that expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation for important reasons of public interest to the Commission.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
Member States
- Action required
-
notify
- Deadline
-
—
- Penalty
-
—
Obligation 6
The controller or processor shall document the assessment as well as the suitable safeguards referred to in the second subparagraph of paragraph 1 in the records referred to in Article 30.
Regulation (EU) 2016/679, Article 49, Article 49
- Obligated entity
-
controller, processor
- Action required
-
document
- Deadline
-
—
- Penalty
-
—
§ Frequently asked
Questions about Article 49
Who must comply with Article 49 of the GDPR?
+
Member States, controller, processor.
What does Article 49 of the GDPR require?
+
ensure assess inform