Q&As

If a controller based outside the EEA transfers personal data to a processor in the EEA and that processor then returns that personal data to the non-EEA controller, is that return transfer a restricted transfer outside the EEA under the General Data Protection Regulation and what transfer mechanisms may the processor use to make the transfer lawful? Would the answer differ if the processor was transferring additional or amended personal data (as compared to that originally transferred by the controller)?

read titleRead full title
Produced in partnership with Sam Morrow
Published on LexisPSL on 20/11/2019

The following Information Law Q&A produced in partnership with Sam Morrow provides comprehensive and up to date legal information covering:

  • If a controller based outside the EEA transfers personal data to a processor in the EEA and that processor then returns that personal data to the non-EEA controller, is that return transfer a restricted transfer outside the EEA under the General Data Protection Regulation and what transfer mechanisms may the processor use to make the transfer lawful? Would the answer differ if the processor was transferring additional or amended personal data (as compared to that originally transferred by the controller)?

This answer assumes that the data being transferred is personal data as defined in the General Data Protection Regulation, Regulation (EU) 2016/679 (GDPR) and the parties have been correctly identified as a ‘non-EEA controller’ and an ‘EEA processor’ respectively. This reply focuses solely on the requirements of Chapter V (Transfers of personal data to third countries or international organisations) of the GDPR as it applies to transfers of personal data outside the EEA and the parties must also ensure they comply with all other applicable obligations under the GDPR. The implications of Brexit are not addressed and for further guidance on Brexit, see Practice Note: Brexit—implications for data protection.

As explained in further detail in Practice Note: International transfers of personal data under the GDPR, among other things, Chapter V of the GDPR generally imposes restrictions which prevent personal data from being transferred to ‘third countries’ outside the EEA unless certain transfer mechanisms are in place. Responsibility for complying with such EEA transfer restrictions applies (among others) to any EEA processor transferring personal data outside of the EEA.

Provided that the data being transferred falls within the definition of ‘personal data’, the return of the data from the EEA processor to the non-EEA controller would be a restricted transfer subject to those restrictions in Chaptert V of the GDPR, provided that the processor and controller are

Popular documents