such processing can still be associated with increased risks because it takes place outside the EU, for example due to conflicting national laws or disproportionate government access in a third country.

Similarly, for atransfer of personal data to a controller or processor in a third country who is already subject to theGDPR for the given processing, it has to be noted that the GDPR already applies in its entirety

Example 12: Controller in the EU uses a processor in the EU subject to third country legislationThe Danish Company X, acting as controller, engages Company Y established in the EU as a processoron its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y isprocessing the data of Company X exclusively in the EU and there is no one outside the EU, includingthe parent Company Z, who has access to the data. Additionally, it follows from the contract betweenCompany X and Company Y that Company Y shall only process the personal data on documentedinstructions from Company X, unless required to do so by EU or Member State law to which CompanyY is subject. Company Y is however subject to third country legislation with extraterritorial effect,which in this case means that Company Y may receive access requests from third country authorities.Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), thedisclosure of data from the controller Company X to the processor Company Y does not amount to atransfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility thatCompany Y receives access requests from third country authorities and should Company Y comply withsuch request, such disclosure of data would be considered a transfer under Chapter V. Where CompanyY complies with a request in violation of the controller’s instructions and thus Article 28 GDPR,Company Y shall be considered an independent controller of that processing under Article 28(10)GDPR. In this situation, the controller Company X should, before engaging the processor, assess thesecircumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providingsufficient guarantees to implement appropriate technical and organisational measures so that theprocessing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract orlegal act governing the processing by the processor.

Some examples of how personal data could be “made available” are by creating an account, grantingaccess rights to an existing account, “confirming”/”accepting” an effective request for remote access,embedding a hard drive or submitting a password to a file. It should be kept in mind that remote accessfrom a third country (even if it takes place only by means of displaying personal data on a screen, forexample in support situations, troubleshooting or for administration purposes) and/or storage in acloud situated outside the EEA offered by a service provider, is also considered to be a transfer,provided that the three criteria outlined in paragraph 9 above are met.

Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in athird countryThe Irish Company X, which is a subsidiary of the parent Company Y in a third country, disclosespersonal data of its employees to Company Y to be stored in a centralised HR database by the parentcompany in the third country. In this case the Irish Company X processes (and discloses) the data in itscapacity of employer and hence as a controller, while the parent company is a processor. Company Xis subject to the GDPR pursuant to Article 3(1) for this processing and Company Y is situated in a thirdcountry. The disclosure therefore qualifies as a transfer to a third country within the meaning ofChapter V of the GDPR.

n addition, this second criterion cannot be considered as fulfilled when there is no controller orprocessor sending or making the data available (i.e. no “exporter”) to another controller or processor,such as when data are disclosed directly by the data subject15 to the recipient.

Example 8: Employee of a controller in the EU travels to a third country on a business tripGeorge, employee of A, a company based in Poland, travels to a third country for a meeting bringinghis laptop. During his stay abroad, George turns on his computer and accesses remotely personal dataon his company’s databases to finish a memo. This bringing of the laptop and remote access ofpersonal data from a third country, does not qualify as a transfer of personal data, since George is notanother controller, but an employee, and thus an integral part of the controller (A).19 Therefore, thetransmission is carried out within the same controller (A). The processing, including the remote accessand the processing activities carried out by George after the access, are performed by the Polishcompany, i.e. a controller established in the Union subject to Article 3(1) of the GDPR. It can, however,be noted that in case George, in his capacity as an employee of A, would send or make data availableto another controller or processor in the third country, the data flow in question would amount to atransfer under Chapter V; from the exporter (A) in the EU to such importer in the third country.

Chapter V does not apply to “internal processing”, i.e. where data is not disclosed bytransmission or otherwise made available to another controller or processor, including where suchprocessing takes place outside the EU