Is data safe in the EEA? The Data Protection Conference Positions Itself Once Again on the Subject of Third-Country Transfers

In this article, we would like to take a closer look at what we consider to be an extremely practice-relevant resolution of the Data Protection Conference (also called “DSK”) of January 31, 2023. The DSK has again taken a position on the topic of third country transfers, or more precisely, on (theoretical) access possibilities to personal data in the EEA from third countries. After the draft for an "EU US Data Privacy Framework" became known - we reported on this - there was initially a certain euphoria, as the topic of third country transfers has now been a never-ending story in data protection law for many years. All the more relevant are the requirements now set by the DSK, which once again present companies with further challenges.

What exactly did the DSK decide?

First of all, the DSK explicitly stated in the cited resolution that the mere risk, that - for example, via rights of instruction under company law - the third-country parent company of an EEA company could instruct it, or that public bodies of third countries could directly instruct EEA companies to transfer personal data to a third country, is not sufficient to assume a transfer to a third country within the meaning of Article 44 et seq. GDPR. Although this was already the prevailing legal opinion, the explicit clarification of the DSK is to be welcomed.

At the same time, the aforementioned decision explicitly states that these very risks of a third country transfer can lead to the fact that a processor concerned does not have the necessary reliability within the meaning of Article 28 of the GDPR. Something else only applies if the processor - or the controller - takes technical and/or organizational measures that provide sufficient guarantees that the processor will fulfill its contractual obligations.

Corresponding risks therefore already exist - according to the DSK - if standards or practices exist in the third country which - measured against the requirements of the GDPR - may oblige an unlawful transfer of personal data.

In order to eliminate these risks, the controller must ultimately carry out an extensive assessment and documentation of the individual case (consisting of ten checkpoints) in order to be able to demonstrate that sufficient safeguards are provided. It is interesting to note here that explicit reference is made to Recommendations 01/2020 of the European Data Protection Board, which actually deal with a third country transfer that actually takes place.

What is our assessment?

First of all, it should be noted that the requirements of Article 28 Section 1 of the GDPR must be met with regard to any commissioned processing. The standard literally states:

“Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

Thus, it is a matter of course under data protection law that the selected processor must (be able to) comply with the respective contractual requirements. In our opinion, however, the resolution of the DSK - despite the provision of Article 5 Section 2 of the GDPR - is to be assessed as too far-reaching overall. In detail:

• In our opinion, the provision of Article 48 of the GDPR, which sets out the European data protection requirements for a request for disclosure by public bodies outside the EEA, is not sufficiently taken into account. Rather, it is demanded to a certain extent at the expense of the responsible body that it must prove that the selected contractual partner does not deliberately violate the provisions of the GDPR. Likewise, the provision of Article 28 Section 10 of the GDPR, which addresses unlawful data processing by a processor, is not addressed in any detail.
• The controller is also required - although no third country transfer is taking place - to conduct a review of the legal situation in the third country and to assess the risk of an unlawful surrender request. In fact, this is a kind of "transfer impact assessment", although the data is located in the EEA, i.e. no data transfer takes place.
• The DSK explicitly requires that appropriate technical and/or organizational measures be taken, without specifying these in more detail for the very specific background of the merely theoretical risk of a third-country transfer. It would have been desirable if the DSK had made concrete recommendations for companies in the EEA.

How should companies now react?

Although we take a critical view of the DSK's legal opinion, the requirements now adopted must of course be observed. We understand the great challenges for small and medium-sized companies to meet the requirements of the GDPR and the supervisory authorities.

In our opinion, in the future it must be examined for each individual case, which specific need for action exists. Since the GDPR follows a risk-based approach, the type, purposes and scope of the processed data must be taken into account in particular. We will be happy to help you find the right solution for each situation, so that you can master the challenge of data protection together with us.