1 Matching Annotations
- Feb 2023
Example 12: Controller in the EU uses a processor in the EU subject to third country legislationThe Danish Company X, acting as controller, engages Company Y established in the EU as a processoron its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y isprocessing the data of Company X exclusively in the EU and there is no one outside the EU, includingthe parent Company Z, who has access to the data. Additionally, it follows from the contract betweenCompany X and Company Y that Company Y shall only process the personal data on documentedinstructions from Company X, unless required to do so by EU or Member State law to which CompanyY is subject. Company Y is however subject to third country legislation with extraterritorial effect,which in this case means that Company Y may receive access requests from third country authorities.Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), thedisclosure of data from the controller Company X to the processor Company Y does not amount to atransfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility thatCompany Y receives access requests from third country authorities and should Company Y comply withsuch request, such disclosure of data would be considered a transfer under Chapter V. Where CompanyY complies with a request in violation of the controller’s instructions and thus Article 28 GDPR,Company Y shall be considered an independent controller of that processing under Article 28(10)GDPR. In this situation, the controller Company X should, before engaging the processor, assess thesecircumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providingsufficient guarantees to implement appropriate technical and organisational measures so that theprocessing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract orlegal act governing the processing by the processor.
Not a transfer until the USG triggers a request, in which case Company Y becomes an independent controller ... though who is the data being transferred to? The USG on compelled order?