I am trying to interpret article 49 of the GDPR in relation to a specific case.
We are running an online auction platform, where we occasionally facilitate a trade of a vehicle between a seller in EU and a buyer outside of EU. In these cases the vehicle is deregistered and shipped to the buyer. We also ship the original registration paper, which includes personal information.
Normally a transfer to a non-EU country is based on an adequate decision, SCC's, binding corporate rules or similar. However in this case we only transfer personal information to the company or person once and using SCC's seem overkill.
I talked to the Danish data protection authorities and they reminded me of Article 49, but they won't give a binding decision.
I think we can use 1. (b) for legal basis. I would like to hear your interpretation and reasons why we can or why we can't use this for legal basis.
I have pasted a snippet from Article 49 below.
Derogations for specific situations
1. In the absence of an adequacy decision pursuant to Article 45(3), or of appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the following conditions:
(a) the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;
(b) the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject's request;
(Caveat a layer not am I)I would say model\standard clauses or something approved by the SA are probably your best bet here.
I think you are on the right track if the SA won’t approve your wording code of conduct document the decision, get consent from the subject, document the same point out the risks and the impracticality of getting it back. Could you redact info some? If the subject doesn’t consent perhaps ha e them keep the original and be responsible for communication with the buyer for a certain time period as part of the contract?
While it(UK)may not be adequte for much longer the UK ICO may help you triangulate:
The Article 29 Working Party, the collection of data protection authorities in the EU, is currently seeking public comment on the Guidelines on Article 49 of Regulation 2016/679, otherwise known as the General Data Protection Regulation. "The document builds on the previous work done by [the WP29] ... regarding central questions raised by the application of derogations in the context of transfers of personal data to third countries," the document states. "This document will be reviewed and if necessary updated, based on the practical experience gained through the application of the GDPR." The deadline for submitting comments is March 26, 2018.
In my opinion, the most important part of this article is consent. You must receive specific and direct consent from the EU end user. From what you describe you have the legal reason covered with the nature of what you are doing. In regards to consent specifically, when you receive consent you will want to inform the end user what country the data will be transferred to. Since you have an online interface, you may want to give the end user (Seller) a little control to begin with. Ask the seller if they want to sell to buyers in other countries. If they do then make sure they are aware that it may mean their data will be transferred outside their country of origin. (Collect consent here). If they choose to only sell within a boundary, then only allow their posting to displaying in those areas. If they do choose to sell outside their regulated area, make sure they provide consent again upon acknowledgement of the sale.
If the transfer of data comes to the US you may also want to consider going through a Privacy Shield Audit and Certification.
Hope this helps.
"the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards;"
From this I am seeing that your business has to explicitly inform the involved parties buyer/seller. Have your legal develop a transfer consent document and have the involved parties sign the document.