We are often asked: “what is meant by a transfer of personal “to a third country” for the purposes of Chapter V of the GDPR?” – although not usually in such precise terms.
It is an important question as any transfer of personal data to a third country must comply with the conditions laid down in Chapter V. If the transfer is to a third country without an adequacy decision from the European Commission, this usually means adopting one of the appropriate safeguards set out in Article 46 of the GPDR, such as standard contractual clauses adopted by the European Commission.
For Uber, this was a particularly important question, because the answer ultimately led to their receiving a €290m fine.
What qualifies as a transfer?
The European Data Protection Board in their Guidelines 05/2021(1), concluded that three conditions need to be present for a transfer of personal data to a third country to arise:
- the ‘exporter’ (the controller or processor transferring the personal data) must be subject to the GDPR;
- there must be both an ‘exporter’ (a controller or processor) and an ‘importer’ (a controller, joint controller or processor); and
- the ‘importer’ must be in a third country (or be an international organisation) irrespective of whether they are subject to the GDPR.
Applying these criteria, the following types of data flows would not be considered transfers, and so would not be subject to Chapter V:
- When personal data is supplied directly by the data subject to a controller outside the EEA. For example, when a purchase is made on a website by an individual.
- When personal data in the EEA is remotely accessed from a third country by an employee, for example when on a business trip.
- When a data controller or processor in the EU stores personal data in a third country using the same entity’s own assets or infrastructure (i.e. there is no third-party importer).
Conversely, if a transfer of personal data is made to an entity in a third country, but the personal data is hosted and stored in servers in the EEA, that will still qualify as a transfer of personal data to a third country because it is the location of the importer that is the reference, not the infrastructure(2).
Uber
The Uber case arose as a result of transfers of personal data from Uber’s subsidiary in the Netherlands to Uber Technologies Inc in the United States.
Prior to their replacement in 2021, Uber had adopted the EC’s former standard contractual clauses to meet the conditions of Chapter V for these transfers. However, following the introduction of the EC’s new Standard Contractual Clauses in 2021, Uber updated its internal agreements to remove standard contractual clauses altogether. Their logic:
- as joint controllers of the personal data being transferred, there was no actual transfer of personal data from one controller to another; and
- as the GDPR applied to Uber Trading Inc’s processing of the transferred personal data, and because the 2021 Standard Contractual Clauses do not apply to transfers where the importer is subject to the GDPR, then the transfers did not come within the scope of Chapter V.
Unsurprisingly, the Dutch DPA disagreed. It concluded that:
- transfers of personal data between joint controllers where the receiving joint controller is outside of the EEA still qualify as transfers subject to the conditions of Chapter V; and
- the application of the GDPR to the importer’s processing of the transferred personal data did not disapply the requirements of Chapter V, notwithstanding that the 2021 Standard Contractual Clauses cannot be used in such circumstances.
What does this mean for you?
The Uber case illustrates both the complexity of how the requirements of Chapter V of the GDPR operate in practice and how there is potential for severe consequences should an organisation exporting personal data outside of the EEA not meet these requirements.
Getting help
Impact Privacy has extensive, global experience in managing the risks associated with data transfers. We would be delighted to help you review your data transfers or your wider privacy programme.
(1)-EDPB Guidelines 05/2021 on the Interpaly between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
(2)-See Recital 101 of the GDPR
