Euro­pean Data Pro­tec­tion Board: When does a third-country trans­fer exist?

When does a third-country trans­fer exist? This ques­ti­on has been par­ti­cu­lar­ly rele­vant sin­ce the “Schrems II” ruling of the Euro­pean Court of Jus­ti­ce (ECJ). With its ruling in July 2020, the Court declared the “EU-US Pri­va­cy Shield” inva­lid and thus made the trans­fer of data to the United Sta­tes – which is par­ti­cu­lar­ly rele­vant, not least becau­se of num­e­rous Inter­net com­pa­nies based the­re – con­sider­a­b­ly more dif­fi­cult. In the absence of an ade­quacy decis­i­on, data can sin­ce then only be trans­fer­red to the US with appro­pria­te safe­guards pur­su­ant to Artic­le 46 GDPR. The­se are, in par­ti­cu­lar, stan­dard con­trac­tu­al clau­ses and bin­ding cor­po­ra­te rules.

In this light, the qua­li­fi­ca­ti­on of a data pro­ces­sing ope­ra­ti­on as a third-country trans­fer has gai­ned enorm­ous importance, as the exclu­si­on of a third-country trans­fer is a tried and tes­ted means for many data con­trol­lers to avo­id con­duc­ting a trans­fer impact assess­ment and the asso­cia­ted legal uncertainty.

Howe­ver, it is not only sin­ce “Schrems II” that the ques­ti­on has ari­sen as to what exact­ly is meant by a third-country trans­fer, becau­se the GDPR does not pro­vi­de a legal defi­ni­ti­on of eit­her the term “third coun­try” or the term “data trans­fer”. This is whe­re the Euro­pean Data Pro­tec­tion Board (EDPB) tri­es to shed light with its recent­ly published Gui­de­lines 05/2021 on the Inter­play bet­ween the appli­ca­ti­on of Artic­le 3 and the pro­vi­si­ons on inter­na­tio­nal trans­fers as per Chap­ter V of the GDPR.

Three cri­te­ria for a third-country transfer

At the begin­ning of the Gui­de­lines, the EDPB lists three cri­te­ria for a third-country trans­fer that must be cumu­la­tively met:

1.    The con­trol­ler or pro­ces­sor invol­ved in pro­ces­sing is sub­ject to the GDPR.

2.    The con­trol­ler or pro­ces­sor invol­ved in the pro­ces­sing (“export­er”) dis­c­lo­ses the per­so­nal data to ano­ther con­trol­ler, joint con­trol­ler or pro­ces­sor (“importer”) by trans­fer or other means (e.g. by making it accessible).

3.    The importer is loca­ted in a third coun­try or is an inter­na­tio­nal orga­ni­sa­ti­on. In this con­text, it does not mat­ter whe­ther the importer of Artic­le 3 GDPR is encompassed.

Accor­ding to the EDPB, the fol­lo­wing con­stel­la­ti­ons can­not be con­side­red as third-country transfers:

  • A direct trans­fer by the data sub­ject to a reci­pi­ent in a third coun­try, as the data is not trans­fer­red by an export­er (con­trol­ler or pro­ces­sor) but at the data sub­jec­t’s own initiative.
  • The remo­te access of an employee of a com­pa­ny within the EEA from out­side the EU.

In con­trast, the fol­lo­wing con­stel­la­ti­ons con­sti­tu­te third-country trans­fers in the EDPB’s view:

  • The trans­fer of the per­so­nal data of a con­trol­ler within the EU to a pro­ces­sor out­side the EU.
  • The trans­fer of per­so­nal data from a con­trol­ler out­side the EU to a pro­ces­sor within the EU, who then trans­fers the data back to the con­trol­ler. Sin­ce the con­trol­ler is in a third coun­try, the trans­fer of data from the pro­ces­sor to the con­trol­ler is con­side­red a trans­fer of per­so­nal data.
  • The trans­fer of per­so­nal data from a pro­ces­sor within the EU to a sub-processor out­side the EU.
  • The inter­nal trans­fer of per­so­nal data from a sub­si­dia­ry within the EU as con­trol­ler to the parent com­pa­ny out­side the EU as pro­ces­sor, e.g. to store employee data in the HR database.

As an exam­p­le of the third requi­re­ment, the EDPB cites the case of a pro­ces­sor within the EU who pro­ces­ses data for a con­trol­ler wit­hout an estab­lish­ment in the EU and for­wards the data to the con­trol­ler. Even if the GDPR appli­es to both pro­ces­sing ope­ra­ti­ons pur­su­ant to Artic­le 3(1) and (2) GDPR, the trans­fer of data from the pro­ces­sor to the con­trol­ler is con­side­red a trans­fer to a third coun­try, sin­ce the con­trol­ler is loca­ted in the third country.

Still open questions

Despi­te the­se cla­ri­fi­ca­ti­ons, some ques­ti­ons dis­cus­sed in prac­ti­ce remain open: For exam­p­le, it is note­wor­t­hy that the EDPB does not fur­ther address the ques­ti­on of when an importer is in a third coun­try or when data are made available in a third coun­try. The much-cited U.S. CLOUD ACT and pos­si­ble rights of access by U.S. parent cor­po­ra­ti­ons to Euro­pean bran­ches and sub­si­dia­ries appar­ent­ly do not seem worth men­tio­ning for the EDPB at this point. This could be an indi­ca­tor that the EDPB is more rela­xed about the­se issues than some natio­nal regulators.

back

Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.