CHAPTER V

Transfers of personal data to third countries tocbror international organisations

 

 

Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.

 

A. Introduction
I. Overview and legislative history

Sentence 1 half-sentence 1 addresses the scope of Chapter V as well as its relationship to the general provisions of the GDPR. It clarifies that the provisions of Chapter V are additional requirements applying in case of a transfer to controllers or processors outside the EU or the EEA. Sentence 1 generally mirrors Art. 25 para. 1 DPD, but enlarges its scope to onward transfers (→ mn. 27). While sentence 2 had already been part of the Commission’s proposal, the EP and the Council initially deleted the sentence before it was reinserted again in the trialogue.

Sentence 2 was added as a reaction to the landmark decision of the CJEU in the Schrems case, which was rendered during the trialogue in October 2015. Sentence 2 repeats the main finding of the CJEU: Art. 8 para. 1 EU CFR requires that a high level of data protection has to be guaranteed, even if personal data are transferred to a third country, meaning that the level of data protection in the third country must be “essentially equivalent” to the level of protection in the EU.

II. Directive (EU) 2016/680

 

Art. 35 et seq. LED contain corresponding provisions for the transfer of personal data from the competent authorities of Member States to the competent public authorities of third countries and, in exceptional cases, directly to private entities in a third country (Art. 39). An equivalent level of data protection can, similarly to Art. 45 to 47 GDPR, be guaranteed by an adequacy decision of the Commission (Art. 36) or by appropriate safeguards (Art. 37). However, the derogations for specific situations (Art. 38) are too broadly worded. For example, they allow a transfer in an individual case, if it is necessary for the purpose of the directive pursuant to Art. 1 para. 1 (Art. 39 para. 1 lit. c), without any further requirement of a guarantee of an essentially equivalent level of data protection. Therefore, Art. 39 has to be interpreted narrowly in the light of Art. 8 para. 1 EU CFR. Hence, a transfer may take place only after an individual assessment (similar to Art. 37 para. 1 lit. b) and may require additional guarantees by the recipient.

B. Rationale of Chapter V (Art. 44 to 50)

I. Regulatory problem

“Do we want a Europe of merchants, or one of human rights?” asked the French data protection authority CNIL in 1993, characterizing the dilemma of international data flows. The risk of a transfer of personal data to a third country is considerable: After the transfer, data can be further processed without the limitations of EU data protection law and may be transferred onward to other third countries. By analysing these data, additional knowledge about the data subject might be gained and these data may be retransferred to the EU. Furthermore, in practice, it is considerably more difficult for the data subject to exercise its rights vis-à-vis a controller located in a third country. In addition, the possibilities of an effective oversight by the EU SAs are limited outside the territory of the Member States. Finally, in some third countries, governments might have access to the transferred data in a manner contrary to EU standards, in particular Art. 23.

On the other hand, the EU legislator recognizes that international trade in goods and services in a globalized and increasingly interconnected world depends on the global flow of information (see recital 101 sentence 1; recital 56 DPD). One solution of the dilemma could be to accept that a lower level of data protection is unavoidable when personal data are transferred to third countries. However, the CJEU as well as the legislator of the GDPR decided to answer the initial question differently and to give human rights precedence over commercial interests. Nonetheless, this approach ultimately serves the interests of European enterprises as well, since it creates a level playing field for them and for their competitors located outside the EU who otherwise could take advantage of more lenient data protection rules. Art. 3 para. 1 lit. b follows a similar rationale .

 

 

 

 

[…]