Definition of third-country transfer

When does a third-country transfer occur?

Addressees of the General Data Protection Regulation (GDPR) who wish to transfer personal data to a socalled third country, i.e. a country outside the EU or the EEA, must first carry out a two-stage assessment with regard to the lawfulness of the transfer (cf. Art. 44 ff. GDPR).

In this context, the question of when a data transfer to a third country can be assumed to have taken place is relevant in practice. Although this has significant legal and practical consequences, the GDPR itself does not specifically define when such a transfer to a third country can be assumed to have taken place.

In its Guidelines 05/2021 (version 2.0, as of 14 February 2023)¹, the European Data Protection Board (EDPB) has identified three criteria that must be met simultaneously for processing to qualify as a transfer to a third country:

• A controller or processor is subject to the GDPR with regard to the processing in question.
• This controller or processor (‘exporter’) discloses data that is the subject of this processing to another or joint controller or another processor (‘importer’) by means of transfer or other means.
• This importer is located in a third country or is an international organisation, regardless of whether it falls within the scope of the Regulation in relation to the processing in question pursuant to Art. 3 GDPR.

Transfers within the meaning of Art. 44 et seq. GDPR also include contractually provided or non-excludable access options, e.g. in the area of system administration, or other retrieval procedures (e.g. downloading or providing data at a terminal). A transfer may also occur when personal data is accessed by entities in a third country via VPN.

Third-country transfers must be distinguished from cases of direct collection of personal data by bodies in third countries. If, for example, an employee registers on the website of a provider based in a third country, this does not generally constitute a data transfer under Art. 44 et seq. GDPR. Whether the GDPR applies to the provider in the third country (cf. Art. 3 GDPR) must be examined separately.

Use of European subsidiaries of US companies as service providers

In practice, companies often use European subsidiaries of US companies as service providers. In this case, the question arises as to whether the contractual assurance by the subsidiary that all data will be processed exclu-sively within the EU is sufficient to ensure that there is no application of Art. 44 et seq. of the GDPR.

The latter was affirmed by the Second Federal Public Procurement Tribunal (decision of 13 February 2023 – VK2-114/22). The mere fact that a (sub)contractor is a subsidiary of a US corporation does not give rise to any doubt as to the fulfilment of the performance promise. It cannot be assumed that the corporate affiliation will result in instructions that are contrary to the law and the contract, or that the company will comply with such instructions. Although the decision cited is one relating to public procurement law, it is also of general significance for the use of contractors with parent companies in third countries. Similar to the Public Procurement Chamber, the European Data Protection Board (EDPB) also takes the view that the use of European subsidiaries is generally permissible. However, it is also of general significance for the use of contractors with parent companies in third countries.

Similar to the Public Procurement Tribunal, the Euro-pean Data Protection Board (EDPB) also assesses the use of European subsidiaries of companies from third coun-tries as service providers in principle, cf. Guidelines 05/2021 (version 2.0, as of 14 February 2023), Example 12: Controller in the EU uses a processor in the EU sub-ject to third country legislation.