EDPB Opinion 22/2024 dated October 9, 2024 answers questions from the Danish supervisory authority on obligations under Article 28 and Chapter V of the GDPR on data transfers to third countries.
In this concluding installment of analysis of the document, we examine aspects of the requirements:
- that impact the chain of processing in relation to data transfers (Chapter V, GDPR)
- that require the conclusion of an appropriate contract or other legal act between data exporter and data importer as an appropriate safeguard for data transfers to third countries (Article 44, GDPR).
Precedents on this same topic are the Bulletins of November 28, 2024 and December 12, 2024.
Data transfers in the data processing chain
GDPR rules on data transfer to third countries apply to data controllers and processors. Violations result in individual liability for both.
When personal data are transferred outside the EEA, under the accountability principle, the controller must ensure that the level of protection is not compromised by the transfers. This means that the controller must ensure that (sub-) processors) – i.e., processors and sub-processors – comply with the conditions for international data transfers established:
- by the GDPR
- by the instructions given by the controller.
To this end, contracts between the controller and the processor must include an undertaking by the processor to process personal data only on documented instructions from the controller, unless required by the law of the Union or the member state to which the processor is subject. This means that the processor may not transfer personal data outside the EEA for its own purposes or on the instructions of a third party, unless obliged to do so by an applicable law. In addition, the processor must inform the controller of any legal obligation that compels it to process personal data in a manner different from the instructions received.
The controller, for its part, must assess and document that transfers are carried out in accordance with documented instructions and that the safeguards offered by the processors are sufficient to maintain the level of protection required by the GDPR.
