Euro­pean Data Pro­tec­tion Board: When does a third-country trans­fer exist?

When does a third-country trans­fer exist? This ques­ti­on has been par­ti­cu­lar­ly rele­vant sin­ce the “Schrems II” ruling of the Euro­pean Court of Jus­ti­ce (ECJ). With its ruling in July 2020, the Court decla­red the “EU-US Pri­va­cy Shield” inva­lid and thus made the trans­fer of data to the United Sta­tes – which is par­ti­cu­lar­ly rele­vant, not least becau­se of nume­rous Inter­net com­pa­nies based the­re – con­si­der­ab­ly more dif­fi­cult. In the absence of an ade­quacy decisi­on, data can sin­ce then only be trans­fer­red to the US with appro­pria­te safe­guards pur­suant to Arti­cle 46 GDPR. The­se are, in par­ti­cu­lar, stan­dard con­trac­tu­al clau­ses and bin­ding cor­po­ra­te rules.

In this light, the qua­li­fi­ca­ti­on of a data pro­ces­sing ope­ra­ti­on as a third-country trans­fer has gai­ned enor­mous impor­t­ance, as the exclu­si­on of a third-country trans­fer is a tried and tes­ted means for many data con­trol­lers to avoid con­duc­ting a trans­fer impact assess­ment and the asso­cia­ted legal uncertainty.

Howe­ver, it is not only sin­ce “Schrems II” that the ques­ti­on has ari­sen as to what exact­ly is meant by a third-country trans­fer, becau­se the GDPR does not pro­vi­de a legal defi­ni­ti­on of eit­her the term “third coun­try” or the term “data trans­fer”. This is whe­re the Euro­pean Data Pro­tec­tion Board (EDPB) tri­es to shed light with its recent­ly publis­hed Gui­de­li­nes 05/2021 on the Inter­play bet­ween the app­li­ca­ti­on of Arti­cle 3 and the pro­vi­si­ons on inter­na­tio­nal trans­fers as per Chap­ter V of the GDPR.

Three cri­te­ria for a third-country transfer

At the begin­ning of the Gui­de­li­nes, the EDPB lists three cri­te­ria for a third-country trans­fer that must be cumu­la­tively met:

1.    The con­trol­ler or pro­ces­sor invol­ved in pro­ces­sing is sub­ject to the GDPR.

2.    The con­trol­ler or pro­ces­sor invol­ved in the pro­ces­sing (“exporter”) dis­c­lo­ses the per­so­nal data to ano­t­her con­trol­ler, joint con­trol­ler or pro­ces­sor (“importer”) by trans­fer or other means (e.g. by making it accessible).

3.    The importer is loca­ted in a third coun­try or is an inter­na­tio­nal orga­ni­sa­ti­on. In this con­text, it does not mat­ter whe­ther the importer of Arti­cle 3 GDPR is encompassed.

Accord­ing to the EDPB, the fol­lowing con­stel­la­ti­ons can­not be con­si­de­red as third-country transfers:

  • A direct trans­fer by the data sub­ject to a reci­pi­ent in a third coun­try, as the data is not trans­fer­red by an exporter (con­trol­ler or pro­ces­sor) but at the data subject’s own initiative.
  • The remo­te access of an employee of a com­pa­ny wit­hin the EEA from out­side the EU.

In con­trast, the fol­lowing con­stel­la­ti­ons con­sti­tu­te third-country trans­fers in the EDPB’s view:

  • The trans­fer of the per­so­nal data of a con­trol­ler wit­hin the EU to a pro­ces­sor out­side the EU.
  • The trans­fer of per­so­nal data from a con­trol­ler out­side the EU to a pro­ces­sor wit­hin the EU, who then trans­fers the data back to the con­trol­ler. Sin­ce the con­trol­ler is in a third coun­try, the trans­fer of data from the pro­ces­sor to the con­trol­ler is con­si­de­red a trans­fer of per­so­nal data.
  • The trans­fer of per­so­nal data from a pro­ces­sor wit­hin the EU to a sub-processor out­side the EU.
  • The inter­nal trans­fer of per­so­nal data from a sub­si­dia­ry wit­hin the EU as con­trol­ler to the parent com­pa­ny out­side the EU as pro­ces­sor, e.g. to store employee data in the HR database.

As an examp­le of the third requi­re­ment, the EDPB cites the case of a pro­ces­sor wit­hin the EU who pro­ces­ses data for a con­trol­ler without an estab­lish­ment in the EU and for­wards the data to the con­trol­ler. Even if the GDPR app­lies to both pro­ces­sing ope­ra­ti­ons pur­suant to Arti­cle 3(1) and (2) GDPR, the trans­fer of data from the pro­ces­sor to the con­trol­ler is con­si­de­red a trans­fer to a third coun­try, sin­ce the con­trol­ler is loca­ted in the third country.

Still open questions

Des­pi­te the­se cla­ri­fi­ca­ti­ons, some ques­ti­ons dis­cus­sed in prac­ti­ce remain open: For examp­le, it is note­wor­thy that the EDPB does not fur­ther address the ques­ti­on of when an importer is in a third coun­try or when data are made avail­ab­le in a third coun­try. The much-cited U.S. CLOUD ACT and pos­si­ble rights of access by U.S. parent cor­po­ra­ti­ons to Euro­pean bran­ches and sub­si­dia­ries appar­ent­ly do not seem worth men­tio­ning for the EDPB at this point. This could be an indi­ca­tor that the EDPB is more rela­xed about the­se issu­es than some natio­nal regulators.

back

Stay up-to-date

We use your e-mail address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.