When does a third-country transfer exist? This question has been particularly relevant since the “Schrems II” ruling of the European Court of Justice (ECJ). With its ruling in July 2020, the Court declared the “EU-US Privacy Shield” invalid and thus made the transfer of data to the United States – which is particularly relevant, not least because of numerous Internet companies based there – considerably more difficult. In the absence of an adequacy decision, data can since then only be transferred to the US with appropriate safeguards pursuant to Article 46 GDPR. These are, in particular, standard contractual clauses and binding corporate rules.
In this light, the qualification of a data processing operation as a third-country transfer has gained enormous importance, as the exclusion of a third-country transfer is a tried and tested means for many data controllers to avoid conducting a transfer impact assessment and the associated legal uncertainty.
However, it is not only since “Schrems II” that the question has arisen as to what exactly is meant by a third-country transfer, because the GDPR does not provide a legal definition of either the term “third country” or the term “data transfer”. This is where the European Data Protection Board (EDPB) tries to shed light with its recently published Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR.
Three criteria for a third-country transfer
At the beginning of the Guidelines, the EDPB lists three criteria for a third-country transfer that must be cumulatively met:
1. The controller or processor involved in processing is subject to the GDPR.
2. The controller or processor involved in the processing (“exporter”) discloses the personal data to another controller, joint controller or processor (“importer”) by transfer or other means (e.g. by making it accessible).
3. The importer is located in a third country or is an international organisation. In this context, it does not matter whether the importer of Article 3 GDPR is encompassed.
According to the EDPB, the following constellations cannot be considered as third-country transfers:
- A direct transfer by the data subject to a recipient in a third country, as the data is not transferred by an exporter (controller or processor) but at the data subject’s own initiative.
- The remote access of an employee of a company within the EEA from outside the EU.
In contrast, the following constellations constitute third-country transfers in the EDPB’s view:
- The transfer of the personal data of a controller within the EU to a processor outside the EU.
- The transfer of personal data from a controller outside the EU to a processor within the EU, who then transfers the data back to the controller. Since the controller is in a third country, the transfer of data from the processor to the controller is considered a transfer of personal data.
- The transfer of personal data from a processor within the EU to a sub-processor outside the EU.
- The internal transfer of personal data from a subsidiary within the EU as controller to the parent company outside the EU as processor, e.g. to store employee data in the HR database.
As an example of the third requirement, the EDPB cites the case of a processor within the EU who processes data for a controller without an establishment in the EU and forwards the data to the controller. Even if the GDPR applies to both processing operations pursuant to Article 3(1) and (2) GDPR, the transfer of data from the processor to the controller is considered a transfer to a third country, since the controller is located in the third country.
Still open questions
Despite these clarifications, some questions discussed in practice remain open: For example, it is noteworthy that the EDPB does not further address the question of when an importer is in a third country or when data are made available in a third country. The much-cited U.S. CLOUD ACT and possible rights of access by U.S. parent corporations to European branches and subsidiaries apparently do not seem worth mentioning for the EDPB at this point. This could be an indicator that the EDPB is more relaxed about these issues than some national regulators.back