(101) Flows of personal data to and from countries outside the Union and international organisations are necessary for the expansion of international trade and international cooperation. The increase in such flows has raised new challenges and concerns with regard to the protection of personal data. However, when personal data are transferred from the Union to controllers, processors or other recipients in third countries or to international organisations, the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation. In any event, transfers to third countries and international organisations may only be carried out in full compliance with this Regulation. A transfer could take place only if, subject to the other provisions of this Regulation, the conditions laid down in the provisions of this Regulation relating to the transfer of personal data to third countries or international organisations are complied with by the controller or processor.
(101) Der Fluss personenbezogener Daten aus Drittländern und internationalen Organisationen und in Drittländer und internationale Organisationen ist für die Ausweitung des internationalen Handels und der internationalen Zusammenarbeit notwendig. Durch die Zunahme dieser Datenströme sind neue Herausforderungen und Anforderungen in Bezug auf den Schutz personenbezogener Daten entstanden. Das durch diese Verordnung unionsweit gewährleistete Schutzniveau für natürliche Personen sollte jedoch bei der Übermittlung personenbezogener Daten aus der Union an Verantwortliche, Auftragsverarbeiter oder andere Empfänger in Drittländern oder an internationale Organisationen nicht untergraben werden, und zwar auch dann nicht, wenn aus einem Drittland oder von einer internationalen Organisation personenbezogene Daten an Verantwortliche oder Auftragsverarbeiter in demselben oder einem anderen Drittland oder an dieselbe oder eine andere internationale Organisation weiterübermittelt werden. In jedem Fall sind derartige Datenübermittlungen an Drittländer und internationale Organisationen nur unter strikter Einhaltung dieser Verordnung zulässig. Eine Datenübermittlung könnte nur stattfinden, wenn die in dieser Verordnung festgelegten Bedingungen zur Übermittlung personenbezogener Daten an Drittländer oder internationale Organisationen vorbehaltlich der übrigen Bestimmungen dieser Verordnung von dem Verantwortlichen oder dem Auftragsverarbeiter erfüllt werden.
(102) This Regulation is without prejudice to international agreements concluded between the Union and third countries regulating the transfer of personal data including appropriate safeguards for the data subjects. Member States may conclude international agreements which involve the transfer of personal data to third countries or international organisations, as far as such agreements do not affect this Regulation or any other provisions of Union law and include an appropriate level of protection for the fundamental rights of the data subjects.
(102) Internationale Abkommen zwischen der Union und Drittländern über die Übermittlung von personenbezogenen Daten einschließlich geeigneter Garantien für die betroffenen Personen werden von dieser Verordnung nicht berührt. Die Mitgliedstaaten können völkerrechtliche Übereinkünfte schließen, die die Übermittlung personenbezogener Daten an Drittländer oder internationale Organisationen beinhalten, sofern sich diese Übereinkünfte weder auf diese Verordnung noch auf andere Bestimmungen des Unionsrechts auswirken und ein angemessenes Schutzniveau für die Grundrechte der betroffenen Personen umfassen.
Attention! This commentary is to be updated soon due to a change in the position of EU regulators
In the General Data Protection Regulation (GDPR), the European Union (hereinafter referred to as the EU) established a restriction on the export of personal data outside the EU. Cross-border data transfer to third countries is possible only if such transfer complies with Chapter V of the Regulation. Chapter V contains a limited number of mechanisms aimed at ensuring that the transfer to third countries does not weaken the level of personal data protection guaranteed by the Regulation.
Before analyzing the mechanisms of cross-border transfer under GDPR, it is necessary to clarify the definition of cross-border transfer and to find out what it does not include.
Thesis 1. Data collection is not a data transfer
In practice, there is a common misconception that receiving data from a data subject in the EU, by a non-European controller is a cross-border transfer. This leads to the erroneous conclusion that it is necessary to comply with the requirements of Chapter V of the GDPR “Transfers of personal data to third countries or international organizations”. However, receiving data from the subject is not a cross-border transfer of data and represents nothing but a data collection.
The British supervisory authority ICO defines data transfer as “intentional sending of personal data, or making it accessible”[1].
At the same time, it is also obvious that the data transfer is not data collection. This is also proved by the fact that both these operations are listed separately from each other in the definition of “personal data processing” in art. 4(2) of the GDPR.
Thesis 2. Cross-border collection should not be treated as data transfer.
According to Art. 44 of the GDPR and related Recital 101 the rules of Chapter V of the GDPR apply to the transfer of personal data. Consequently, in the “cross-border collection” of data from data subjects from the EU by a company outside the Union, the company is not bound by the requirements of Chapter V of the GDPR “Transfer of personal data to third countries or international organizations”.
Thesis 3. Only transfers outside the EU must comply with the rules of Chapter V
If the data are transferred to the company and not collected by this company, (for example, it receives personal information from the EU through its partner or customer) Chapter V becomes binding due to Art. 44 of the GDPR, which refers to the transfer to a third country or international organization.
Attention should be paid to the direction of the transfer: from the EU to a third country or international organization, that is, when the data are exported across the external border of the European Union. Once activated, Chapter V will continue to apply to subsequent transfers without taking into account the direction: “the level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation ” (Recital 101 GDPR).
If, on the contrary, data are transferred to the EU, the requirements of this chapter of the Regulation do not apply, although the requirements of other chapters of the GDPR will continue to apply to the importer.
Analysis of Chapter V functioning on specific examples
1. The data subject and the controller are in the EU. Data from the subject are directly transferred to the controller, for example, through a questionnaire filled in by the subject on the controller’s website. There is no data transfer within the meaning of Chapter V of the GDPR because the data flow shown in the example is a data collection. Consequently, Chapter V is not applicable.
2. The data subject provides the data to the controller who is outside the EU. As in the previous example, there is no cross-border data transfer but a so-called “cross-border data collection”. Consequently, Chapter V is also not applicable.
3. After collecting data from European data subjects, a data controller “C” outside the EU transmits data to a Level 1 processor “P1”, which is also outside the EU. There is a data transfer, but the data are not transferred across the EU border. Consequently, Chapter V will also not apply to this data transfer [2].
4. Let’s assume that the P1 processor from the example above uses the European cloud service P2. Similar to the previous example, there is data transfer, but this time it crosses the EU border. However, the direction in which the data are transmitted is from a third country to the EU. In other words, a European company is an importer, not an exporter of data. Consequently, Chapter V again does not apply because it regulates transfers where the European company acts as a data exporter [3].
5. The second level processor P2 (subprocessor) decided to use the services of the third level processor P3 (sub-sub-processor), which is located in the third country [4].
The data are transmitted from P2 to P3, i.e. from the territory of the EU outside its borders. Therefore, for the P2 processor, the rules of data transfer outside the EU from Chapter V of the GDPR begin to apply.
In particular, Art. 46 of the GDPR, according to which the P2 processor must find a mechanism suitable for such transfer. Most likely, this will be the Standard Contractual Clauses (hereinafter – SCC), although there are other mechanisms for cross-border transfer, which will be discussed in other parts of this article.
From now on, all further data transfers, wherever they occur, are subject to the requirements set by Chapter V of the GDPR. Accordingly, even after the transfer of data from the EU to the 3rd country the information will be transferred within that 3rd country, one of the cross-border data transfer mechanisms from the art. 46 of the GDPR must be implemented.
Notes:
[1] According to the ICO guidelines, data transfer should also be distinguished from data transit, where data is sent through an intermediary (e.g. an Internet host) without the intention of giving the intermediary access and opportunity to perform actions on the data during the transfer.
[2] However, according to art. 3(2a) the applicable GDPR rules will still apply to this processing, including art. 28 of the GDPR, which obliges the controller and processor to sign the Data Processing Agreement (hereinafter – DPA).
[3] As in the previous case, this does not preclude the application of the GDPR, In particular, it will be necessary to comply with Art. 28 of the GDPR, according to which a DPA conclusion is required.
[4] In compliance with the rules of art. 28 of the GDPR, the connection of the sub-processor is carried out with pre-authorization or post authorization, i.e. the processor requests “permission” from the controller for such a transfer each time.