Where Is a Transfer? Datatilsynet Says Almost Everywhere!

Odia Kagan
Fox Rothschild LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Fox Rothschild LLP

The flags of the United States and European Union.

Let’s say you are an EU company. You engage a processor. Data is processed in the EU. There is no transfer.

But in the processor-sub-processor data processing agreement, the data processor reserves the right to disclose personal data based on decisions by public authorities — including third countries. Is this a Schrems II Chapter V GDPR transfer? Datatilsynet says yes.

Some key points:

  • You have to comply with the requirements of Chapter V for the transfer.
  • Even if this is pursuant to a court order, that won’t necessarily save you or provide you with a valid legal basis for the transfer because under Article 48 GDPR, transfer pursuant to a judgment can only be recognized or enforced if it is based on an international agreement (such as a treaty on mutual legal assistance between the requesting third country and the EU or a Member State) without prejudice to other grounds for transfer under Chapter V of the Data Protection Regulation. (Reminder: the UK left Article 48 behind.)
  • Feel free to refer to the joint opinion of the European Supervisory Board and the European Data Protection Board of 10 July 2019 Parliament’s LIBE Committee. The opinion describes the legal conditions for the transfer of personal data based on requests to the United States under the US CLOUD Act.
  • You must ensure that your data processor ensures adequate guarantees that the rules of GDPR are complied with (so have them say it in your Article 28 agreement).
  • Ensure the necessary processing security, including that the data processor treats the information confidentially and does not make it available to unauthorized persons. It is important to assess the risk that the data processor, contrary to its promises and what is stated in the data processor agreement, will comply with a request in accordance with the law of a third country. (Real question to this audience: how can you do this??)
  • Supervise this data processor. If you become aware that the data processor is acting in breach of the data processor agreement by transferring personal data to a third country against the data controller’s instructions, you must take immediate action.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP
Fox Rothschild LLP
Contact
more
less

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide