Let’s say you are an EU company. You engage a processor. Data is processed in the EU. There is no transfer.

But in the processor-sub-processor data processing agreement, the data processor reserves the right to disclose personal data based on decisions by public authorities — including third countries. Is this a Schrems II Chapter V GDPR transfer? Datatilsynet says yes.

Some key points:

  • You have to comply with the requirements of Chapter V for the transfer.
  • Even if this is pursuant to a court order, that won’t necessarily save you or provide you with a valid legal basis for the transfer because under Article 48 GDPR, transfer pursuant to a judgment can only be recognized or enforced if it is based on an international agreement (such as a treaty on mutual legal assistance between the requesting third country and the EU or a Member State) without prejudice to other grounds for transfer under Chapter V of the Data Protection Regulation. (Reminder: the UK left Article 48 behind.)
  • Feel free to refer to the joint opinion of the European Supervisory Board and the European Data Protection Board of 10 July 2019 Parliament’s LIBE Committee. The opinion describes the legal conditions for the transfer of personal data based on requests to the United States under the US CLOUD Act.
  • You must ensure that your data processor ensures adequate guarantees that the rules of GDPR are complied with (so have them say it in your Article 28 agreement).
  • Ensure the necessary processing security, including that the data processor treats the information confidentially and does not make it available to unauthorized persons. It is important to assess the risk that the data processor, contrary to its promises and what is stated in the data processor agreement, will comply with a request in accordance with the law of a third country. (Real question to this audience: how can you do this??)
  • Supervise this data processor. If you become aware that the data processor is acting in breach of the data processor agreement by transferring personal data to a third country against the data controller’s instructions, you must take immediate action.