Managing Consent for Transfers

Managing Consent for Transfers

Overview

GDPR Article 49(1)(a) provides that in the absence of an adequacy decision (Article 45) or appropriate safeguards (Article 46), a transfer of personal data to a third country may take place if "the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers for the data subject due to the absence of an adequacy decision and appropriate safeguards."

This is a derogation — a last resort — not a primary transfer mechanism. The EDPB Guidelines 2/2018 on derogations under Article 49 emphasize that derogations must be interpreted restrictively and should not become the rule.

Explicit Consent Requirements for Transfers

What Makes Transfer Consent "Explicit"

Explicit consent under Article 49(1)(a) requires a higher standard than standard consent under Article 6(1)(a):

1. Express statement: The data subject must make an express statement of consent specifically for the transfer. An unticked checkbox is sufficient for standard consent but may not be sufficient for explicit consent — a written or typed declaration is preferred.
2. Specific to the transfer: Consent must specifically mention the international transfer, not be buried in general terms.
3. Informed of risks: The data subject must be told about the specific risks of the transfer, not just generic warnings.
4. Specific destination: The third country or countries must be named.
5. Absence disclosed: The data subject must be told that there is no adequacy decision and no appropriate safeguards in place for the destination.

Information That Must Be Provided Before Consent

Per Article 49(1)(a) and EDPB Guidelines 2/2018:

CloudVault SaaS Inc. Transfer Consent Implementation

Scenario: Customer Support Data Transfer to India

CloudVault SaaS Inc. operates a customer support center in Bengaluru, India (CloudVault India Pvt. Ltd.). When EU users submit support tickets outside EU business hours, ticket data may be accessed from India.

Consent Statement (displayed to users):

"To provide you with 24/7 customer support, CloudVault SaaS Inc. may transfer your support ticket data (your name, email address, account details, and the content of your support request) to CloudVault India Pvt. Ltd. in Bengaluru, India.

India does not have an adequacy decision from the European Commission, and this specific transfer is not covered by Standard Contractual Clauses or Binding Corporate Rules.

This means your data may not receive the same level of protection as under EU law. In particular:

• The Indian Digital Personal Data Protection Act 2023 is still in early implementation and its enforcement mechanisms are not yet fully established
• Indian government authorities may have legal powers to access personal data that differ from those available to EU authorities
• Judicial remedies available to you in India may differ from those available under EU law

You are not required to consent to this transfer. If you do not consent, your support requests will be handled during EU business hours only (Monday-Friday, 08:00-18:00 CET) by our Dublin-based support team.

You can withdraw this consent at any time in Settings > Privacy > Data Transfers. Withdrawal will take effect within 24 hours."

Consent Mechanism

• Two-step process: (1) user reads the full risk disclosure, (2) user types "I consent to the transfer" in a text field
• This typed declaration satisfies the "explicit" requirement
• Consent is recorded with all standard consent record fields plus transfer-specific fields

Limitations of Consent as Transfer Basis

Per EDPB Guidelines 2/2018:

1. Not for systematic/repetitive transfers: Consent under Article 49(1)(a) should not be used as the basis for systematic, large-scale, or repetitive transfers. For those, use SCCs (Article 46(2)(c)) or BCRs (Article 47).
2. Not a blank check: Each transfer must be specifically consented to, or consent must cover a clearly defined and limited set of transfers.
3. Power imbalance applies: The same freely-given requirement applies — consent for transfers in an employment context is generally not valid.
4. Withdrawal must be feasible: If the controller cannot operationally stop transfers upon withdrawal, consent may not be the appropriate basis.

Key Regulatory References

• GDPR Article 44 — General principle for transfers
• GDPR Article 45 — Transfers based on adequacy decisions
• GDPR Article 46 — Transfers subject to appropriate safeguards
• GDPR Article 49(1)(a) — Derogation: explicit consent for transfers
• EDPB Guidelines 2/2018 on Derogations under Article 49 (adopted May 25, 2018)
• CJEU C-311/18 (Schrems II, July 16, 2020) — Invalidated Privacy Shield; heightened transfer scrutiny
• EDPB Recommendations 01/2020 — Supplementary measures for transfers