1) Controller collects data directly from a data subject in the EU
Maria, who lives in Italy, inserts her contact details at a website form of an online clothing store operated by a company established in Singapore. This company has no presence in the EU. At this case, since there is no exporter (controller or processor) passing the data to the third country, there is no transfer. The case argues that when the data is passed directly on data subject’s own initiative, and without an exporter, it does not constitute a transfer. Thus, Chapter V does not apply to this case, even if the Singaporean company will need to ensure whether its processing activities are subject to Art. 3(2) GDPR.
This case provides a practical introduction to the topic reminding that a data transfer under chapter V of the GDPR occurs only if there is a data exporter (controller or processor) who passes the personal data to the third country or to an international organization.
2) Processor in the EU sends data back to its controller in a third country
XYZ Inc. is a controller without an EU establishment. XYZ sends personal data of its employees/customers (non-EU residents) to the processor ABC Ltd. ABC is established in the EU and is therefore covered by the GDPR for processor specific obligations pursuant to Article 3(1). As XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regarded as a transfer of personal data and thus, Chapter V applies.
This instance might surprise as either the controller or the data subjects are subject to EU law as they are located outside the EU/EEA, but the processor is. Why there should be a transfer tool according to GDPR when sending data of non-EU residents back to a controller of a non-EU country? The processor is the exporter who passes the data (back) to the importer acting as data controller. Article 44 of the GDPR envisages that a transfer may not only be carried out by a controller but also by a processor. Hence, such a transfer is possible where a processor sends data to another processor or even to a controller as instructed by its controller.
3) Employee of a controller in the EU travels to a third country on a business trip
George, employee of A (a company established in Poland), travels to a meeting to India. During his stay, George uses his computer and accesses remotely personal data on his company’s databases. Does this remote access from a third country constitute a transfer? Since George is not another controller, but an employee of the company acting as an integral part of the same controller (A), it is not considered as a transfer as the disclosure is carried out within the same controller. The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company subject to Article 3(1) of the GDPR.
The lesson here is to remind that the sender and the recipient must be different controllers or processors for the disclosure to be regarded as a transfer in terms of Chapter V GDPR. However, it should be noted that entities that form part of the same corporate group may qualify as separate controllers or processors. Consequently, these kinds of intra-group data disclosures may constitute transfers of personal data. Finally, EDPB highlights that in the context of this case it should be kept in mind that controllers and processors are obliged to implement technical and organisational measures in accordance with Article 32 of the GDPR when considering the risks with respect to their processing activities.
To sum up, there probably are many different levels of situations where your organisation or its sub-contractors transfer personal data outside the EEA. Each and all these situations should be recognized. It is ultimately the controller’s responsibility to ensure that whenever there is a transfer, it occurs according to the GDPR and other currently applicable requirements according to EU law.