In the light of the Schrems II judgment by the CJEU, questions relating to the concept of “data exporter” have been clarified by the Danish DPA.
Since the CJEU’s Schrems II judgment, the Danish Data Protection Agency has received an increasing number of questions relating to the transfer of personal data to third countries. Many of these questions are geared towards the concept of “data exporter” and who, in practice, is responsible for ensuring that the transfer of personal data takes place according to data protection regulations, especially regarding larger, complex data processing situations. While the term “data exporter” is not defined in the GDPR, the concept is defined in the EU Commission’s standard contract, which is one of the most widely used transfer bases in Chapter V of the GDPR. As a result, the Danish DPA has decided to provide clarification on the role and concept of a “data exporter.”
A data controller or processor in a third country to whom data is transferred under a standard contract is considered a “data importer.”
A standard contract can be entered into by an EU data controller who transfers personal data to a data controller or data processor in a third country. The third country data controller or processor would be considered the “data importer”. This situation has created a few doubts as to which party is responsible for ensuring the legality of the transfer under the GDPR, particularly in cases where one or more of the sub-data processors are outside the EU / EEA.
The GDPR stipulates that both parties (whether exporter or importer) are responsible for establishing a legal basis for the transfer.
According to GDPR Article 44, “Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.” The Danish Data Protection Agency interprets this article of the GDPR to be applicable as an obligation for both the data controller and the data processor. Both parties are therefore obliged to ensure that a transfer basis is provided that is effective in the light of all the circumstances of the transfer.
Under the GDPR, both the controller and processor are expected to take necessary measures to establish substantial security of the data.
Article 32 of the GDPR states that the controller and the processor must establish an appropriate level of processing security. The Danish Data Protection Agency regards both the data controller and any potential data processors as independent subjects with regard to this obligation. This means that the data controller and the data processor are each expected to take the necessary technical and organizational measures to establish an appropriate level of processing security. In cases where the data processor provides most or all of the technical infrastructure, the task of the data controller is to ensure – and be able to demonstrate to the Danish DPA – that the data processor has established a satisfactory level of security for the data being processed.
Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.