1. 於欠缺第 45 條第 3 項之充足程度保護之決定、或欠缺第 46 條之 適當保護措施時，包括有拘束力之企業守則、個人資料之移轉或一系 列移轉至第三國或國際組織，僅應於符合下列條件時進行：
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
(a) 資料主體於受關於因欠缺充足程度保護決定及適當保護措施，該 等移轉對資料主體造成之可能風險通知後，已明確同意計畫之移轉；
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) 移轉對履行資料主體與控管者間契約、或依資料主體之請求執行 契約前之措施為必要；
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request;
(c) 移轉對締結或履行控管者與其他自然人或法人間，基於資料主體 之利益所締結之契約為必要；
(c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the data subject between the controller and another natural or legal person;
(e) the transfer is necessary for the establishment, exercise or defence of legal claims;
(f) 於資料主體身體上或法律上無法為同意之表示時，移轉對保護資 料主體之重要利益為必要；
(f) the transfer is necessary in order to protect the vital interests of the data subject or of other persons, where the data subject is physically or legally incapable of giving consent;
(g) 移轉係依據歐盟或會員國法登記，意圖提供公眾信息且開放予一 般公眾或任何得舉證具合法利益者諮詢，但僅限於特定情形中歐盟或 會員國法設定之諮詢條件獲滿足之程度。
(g) the transfer is made from a register which according to Union or Member State law is intended to provide information to the public and which is open to consultation either by the public in general or by any person who can demonstrate a legitimate interest, but only to the extent that the conditions laid down by Union or Member State law for consultation are fulfilled in the particular case.
於移轉無法符合第 45 條或第 46 條之規定，包括有拘束力之企業守則 之規定，且無法適用本項第 1 款所稱之任何特定例外情形時，向第三 國或國際組織之移轉僅於該移轉非重複性、僅影響有限數量之資料主 體，對控管者所追求之合法目的為必要而不凌駕於資料主體之利益或 權利及自由，且控管者已評估資料移轉之所有環境，而立於評估對個 人資料保護為適合保護措施之基礎時，方得進行。控管者應將移轉通 知監管機關。於第 13 條及第 14 條提供資訊之情形，控管者應將移轉 及追求之合法利益通知資料主體。
Where a transfer could not be based on a provision in Article 45 or 46, including the provisions on binding corporate rules, and none of the derogations for a specific situation referred to in the first subparagraph of this paragraph is applicable, a transfer to a third country or an international organisation may take place only if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, and the controller has assessed all the circumstances surrounding the data transfer and has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data. The controller shall inform the supervisory authority of the transfer. The controller shall, in addition to providing the information referred to in Articles 13 and 14, inform the data subject of the transfer and on the compelling legitimate interests pursued.
2. 第 1 項第 1 款第 g 點之移轉不得涉及全部個人資料或登記內個人 資料之所有分類。於由具合法利益者為諮詢而登記時，該移轉僅得依 其請求或其為接收者之情形為之。
2. A transfer pursuant to point (g) of the first subparagraph of paragraph 1 shall not involve the entirety of the personal data or entire categories of the personal data contained in the register. Where the register is intended for consultation by persons having a legitimate interest, the transfer shall be made only at the request of those persons or if they are to be the recipients.
3. 第 1 項第 1 款第 a、b、及 c 點及第 2 款不適用於公務機關執行公 權力之活動。
3. Points (a), (b) and (c) of the first subparagraph of paragraph 1 and the second subparagraph thereof shall not apply to activities carried out by public authorities in the exercise of their public powers.
4. 第 1 項第 1 款第 d 點之公共利益應為歐盟法或控管者受拘束之會 員國法所承認者。
4. The public interest referred to in point (d) of the first subparagraph of paragraph 1 shall be recognised in Union law or in the law of the Member State to which the controller is subject.
5. 於欠缺充足程度保護之決定之情形下，歐盟或會員國法得基於公 益之重要原因，明訂特殊類型之個人資料移轉至第三國或國際組織之 限制。會員國應向執委會通知該等規定。
5. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of personal data to a third country or an international organisation. Member States shall notify such provisions to the Commission.
The latest consolidated version of the Regulation with corrections by Corrigendum, OJ L 127, 23.5.2018, p. 2 ((EU) 2016/679). Source: EUR-lex.
(111) 於資料主體已明確同意時，以及於移轉基於契約或法律上主張 之必要而不具經常性時，不問係於訴訟、行政程序或任何法庭外程序， 包括管制機構前之程序，關於特定情況下移轉資料有其可能性之規定 應予制定。在基於歐盟法或會員國法所訂定之重要公益理由要求時， 或該移轉係來自法定登記且係為公眾或具正當利益之私人進行查詢 時，關於移轉資料有其可能性之規定亦應予制定。在後者之情形，該 移轉不應涵蓋全部之個人資料或該登記所涉及之全類別所含之全部 資料，且當該登記係為有正當利益之私人進行查詢時，移轉應僅在其 請求下進行，或若其為接收者，應完整考量資料主體之利益與基本 權。
(111) Provisions should be made for the possibility for transfers in certain circumstances where the data subject has given his or her explicit consent, where the transfer is occasional and necessary in relation to a contract or a legal claim, regardless of whether in a judicial procedure or whether in an administrative or any out-of-court procedure, including procedures before regulatory bodies. Provision should also be made for the possibility for transfers where important grounds of public interest laid down by Union or Member State law so require or where the transfer is made from a register established by law and intended for consultation by the public or persons having a legitimate interest. In the latter case, such a transfer should not involve the entirety of the personal data or entire categories of the data contained in the register and, when the register is intended for consultation by persons having a legitimate interest, the transfer should be made only at the request of those persons or, if they are to be the recipients, taking into full account the interests and fundamental rights of the data subject.
(112) 該等例外尤應適用於受要求且基於公共利益之重要理由而有 必要之資料移轉，例如國際間主管機關、稅務或關務機關間、金融監 管機關之間、社會安全或公共衛生服務專責機關間之資料交換；例如 傳染病之接觸追蹤或為了降低並/或消除藥物濫用之情形。若資料主 體無法給予同意，於有必要保護資料主體之重要利益或其他人之重要 利益，包括身體完整性或生命時，個人資料之移轉亦應被視為合法。 在欠缺有充足保護程度之決定時，歐盟法或會員國法可能基於公共利 益之重要理由，明確限制特定類別之資料移轉至第三國或國際組織。 會員國應向執委會通知此種規定。任何於資料主體身體上或法律上無 能力給予同意下所為之個人資料移轉至國際人道組織，按照完成目前 在日內瓦公約之任務或遵循於武裝衝突時所適用之國際人道法的觀 點，可以被視為必要的公共利益之重要理由或因為其屬於資料主體之 重要利益。
(112) Those derogations should in particular apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange between competition authorities, tax or customs administrations, between financial supervisory authorities, between services competent for social security matters, or for public health, for example in the case of contact tracing for contagious diseases or in order to reduce and/or eliminate doping in sport. A transfer of personal data should also be regarded as lawful where it is necessary to protect an interest which is essential for the data subject's or another person's vital interests, including physical integrity or life, if the data subject is incapable of giving consent. In the absence of an adequacy decision, Union or Member State law may, for important reasons of public interest, expressly set limits to the transfer of specific categories of data to a third country or an international organisation. Member States should notify such provisions to the Commission. Any transfer to an international humanitarian organisation of personal data of a data subject who is physically or legally incapable of giving consent, with a view to accomplishing a task incumbent under the Geneva Conventions or to complying with international humanitarian law applicable in armed conflicts, could be considered to be necessary for an important reason of public interest or because it is in the vital interest of the data subject.
(113) 當移轉係控管者為實現重大正當利益，且該利益並未劣後於資 料主體之利益或權利及自由，並且該控管者已評估有關該資料移轉之 所有情況者，合乎不具反覆性且僅涉及有限人數之資料主體之移轉亦 屬可行。該控管者應特別考量個人資料之性質、所提議單一或多個處 理活動之目的及持續期間以及起源國、第三國與最終目的地國之狀況， 且應就該等個人資料處理提供適當保護措施，以確保當事人之基本權 及自由。該等資料移轉應僅在其無其他得適用之合法性基礎之其餘案 例上始有適用之可能。為科學或歷史研究目的或統計目的，社會知識 增長之合理期待應被納入考量。控管者應將該移轉通知監管機關及資 料主體。
(113) Transfers which can be qualified as not repetitive and that only concern a limited number of data subjects, could also be possible for the purposes of the compelling legitimate interests pursued by the controller, when those interests are not overridden by the interests or rights and freedoms of the data subject and when the controller has assessed all the circumstances surrounding the data transfer. The controller should give particular consideration to the nature of the personal data, the purpose and duration of the proposed processing operation or operations, as well as the situation in the country of origin, the third country and the country of final destination, and should provide suitable safeguards to protect fundamental rights and freedoms of natural persons with regard to the processing of their personal data. Such transfers should be possible only in residual cases where none of the other grounds for transfer are applicable. For scientific or historical research purposes or statistical purposes, the legitimate expectations of society for an increase of knowledge should be taken into consideration. The controller should inform the supervisory authority and the data subject about the transfer.
(114) 在任何情況下，於執委會尚未作成第三國關於資料處理有充足 保護程度之決定時，一旦在歐盟境內所處理之資料已被移轉，控管者 或處理者應設法提供資料主體可實現且有效之權利，使其等能繼續享 有基本權及保護措施之利益。
(114) In any case, where the Commission has taken no decision on the adequate level of data protection in a third country, the controller or processor should make use of solutions that provide data subjects with enforceable and effective rights as regards the processing of their data in the Union once those data have been transferred so that that they will continue to benefit from fundamental rights and safeguards.
(115) 有些第三國會採用旨在直接規範個人或法人在會員國管轄權 內所為處理活動之法律、規則或其他法令。此可能包括第三國之法院 或法庭之判決或行政機關之決定要求控管者或處理者移轉或揭露個 人資料，而其並非基於如司法互助條約等在要求資料之第三國與歐盟 或會員國間之國際協議。該等法律、規則及其他法令對於治外法權之 適用可能違反國際法，且可能妨礙本規則達成對個人在歐盟之保護。 移轉應僅得在本規則對於移轉至第三國所規定之條件皆成就時始被 允許。此包括但不限於發生在揭露係基於歐盟法或會員國法所承認之 公共利益的重要理由而控管者受該法之拘束且有必要之情形。
(115) Some third countries adopt laws, regulations and other legal acts which purport to directly regulate the processing activities of natural and legal persons under the jurisdiction of the Member States. This may include judgments of courts or tribunals or decisions of administrative authorities in third countries requiring a controller or processor to transfer or disclose personal data, and which are not based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State. The extraterritorial application of those laws, regulations and other legal acts may be in breach of international law and may impede the attainment of the protection of natural persons ensured in the Union by this Regulation. Transfers should only be allowed where the conditions of this Regulation for a transfer to third countries are met. This may be the case, inter alia, where disclosure is necessary for an important ground of public interest recognised in Union or Member State law to which the controller is subject.
EDPB, Guidelines 2/2018 on Derogations of Article 49 under Regulation 2016/679 (2018).
ICO, Guide on International Transfers (2019).
EDPB, Guidelines 3/2020 on the Processing of Data Concerning Health for the Purpose of Scientific Research in the Context of the Covid-19 Outbreak (2020).
(EN) ISO/IEC 27701, adopted in 2019, added additional ISO/IEC 27002 guidance for PII controllers.
Here is the relevant paragraph to article 49 GDPR:
7.5.1 Identify basis for PII transfer between jurisdictions
The organization should identify and document the relevant basis for transfers of PII between jurisdictions.
PII transfer can be subject to legislation and/or regulation depending on the jurisdiction or international organization to which data is to be transferred (and from where it originates).