Organization of cross-border data transfer according to GDPR Екатерина В June 21, 2022

Organization of cross-border data transfer according to GDPR

In the General Data Protection Regulation (GDPR), the European Union (hereinafter referred to as the EU) established a restriction on the export of personal data outside the EU. Cross-border data transfer to third countries is possible only if such transfer complies with Chapter V of the Regulation. Chapter V contains a limited number of mechanisms aimed at ensuring that the transfer to third countries does not weaken the level of personal data protection guaranteed by the Regulation.

Before analyzing the mechanisms of cross-border transfer under GDPR, it is necessary to clarify the definition of cross-border transfer and to find out what it does not include.

Thesis 1. Data collection is not a data transfer

In practice, there is a common misconception that receiving data from a data subject in the EU, by a non-European controller is a cross-border transfer. This leads to the erroneous conclusion that it is necessary to comply with the requirements of Chapter V of the GDPR “Transfers of personal data to third countries or international organizations”. However, receiving data from the subject is not a cross-border transfer of data and represents nothing but a data collection. 

The British supervisory authority ICO defines data transfer as “intentional sending of personal data, or making it accessible”*. 

Data transfer is an intentional sending of personal data to another party or making the data accessible by it, where neither sender nor recipient is a data subject.

At the same time, it is also obvious that the data transfer is not data collection. This is also proved by the fact that both these operations are listed separately from each other in the definition of “personal data processing” in art. 4(2) of the GDPR. 

Thesis 2. Cross-border collection should not be treated as data transfer.

According to Art. 44 of the GDPR and related Recital 101 the rules of Chapter V of the GDPR apply to the transfer of personal data. Consequently, in the “cross-border collection” of data from data subjects from the EU by a company outside the Union, the company is not bound by the requirements of Chapter V of the GDPR “Transfer of personal data to third countries or international organizations”.

Love to work together
We are open to cooperation with developing, enterprising companies.
Thesis 3. Only transfers outside the EU must comply with the rules of Chapter V.

If the data are transferred to the company and not collected by this company, (for example, it receives personal information from the EU through its partner or customer) Chapter V becomes binding due to Art. 44 of the GDPR, which refers to the transfer to a third country or international organization. 

Attention should be paid to the direction of the transfer: from the EU to a third country or international organization, that is, when the data are exported across the external border of the European Union. 

If, on the contrary, data are transferred to the EU, the requirements of this chapter of the Regulation do not apply, although the requirements of other chapters of the GDPR will continue to apply to the importer.

The level of protection of natural persons ensured in the Union by this Regulation should not be undermined, including in cases of onward transfers of personal data from the third country or international organisation to controllers, processors in the same or another third country or international organisation.

Analysis of Chapter V functioning on specific examples

*According to the ICO guidelines, data transfer should also be distinguished from data transit, where data is sent through an intermediary (e.g. an Internet host) without the intention of giving the intermediary access and opportunity to perform actions on the data during the transfer.

**However, according to art. 3(2a) the applicable GDPR rules will still apply to this processing, including art. 28 of the GDPR, which obliges the controller and processor to sign the Data Processing Agreement (hereinafter – DPA).

***As in the previous case, this does not preclude the application of the GDPR, In particular, it will be necessary to comply with Art. 28 of the GDPR, according to which a DPA conclusion is required.

****In compliance with the rules of art. 28 of the GDPR, the connection of the sub-processor is carried out with pre-authorization or post authorization, i.e. the processor requests “permission” from the controller for such a transfer each time.

Sign up for a consultation

    Write a comment
    Your email address will not be published. Required fields are marked *