12 Matching Annotations
  1. Feb 2023
    1. On this basis, the issues that I will address in this Draft Decision are as follows: Issue 1 – Whether clicking on the “accept” button constitutes or must be considered consentfor the purposes of the GDPR Issue 2 – Reliance on Article 6(1)(b) as a lawful basis for personal data processing Issue 3 – Whether Facebook provided the requisite information on the legal basis forprocessing on foot of Article 6(1)(b) GDPR and whether it did so in a transparent manner.

      Key issues identified in the draft opinion. Compare later if this differs in final.

    1. Example 12: Controller in the EU uses a processor in the EU subject to third country legislationThe Danish Company X, acting as controller, engages Company Y established in the EU as a processoron its behalf. Company Y is a subsidiary of the third country parent Company Z. Company Y isprocessing the data of Company X exclusively in the EU and there is no one outside the EU, includingthe parent Company Z, who has access to the data. Additionally, it follows from the contract betweenCompany X and Company Y that Company Y shall only process the personal data on documentedinstructions from Company X, unless required to do so by EU or Member State law to which CompanyY is subject. Company Y is however subject to third country legislation with extraterritorial effect,which in this case means that Company Y may receive access requests from third country authorities.Since Company Y is not in a third country (but an EU company subject to Article 3(1) GDPR), thedisclosure of data from the controller Company X to the processor Company Y does not amount to atransfer and Chapter V of the GDPR does not apply. As mentioned, there is however a possibility thatCompany Y receives access requests from third country authorities and should Company Y comply withsuch request, such disclosure of data would be considered a transfer under Chapter V. Where CompanyY complies with a request in violation of the controller’s instructions and thus Article 28 GDPR,Company Y shall be considered an independent controller of that processing under Article 28(10)GDPR. In this situation, the controller Company X should, before engaging the processor, assess thesecircumstances in order to ensure that, as required by Article 28 GDPR, it only uses processors providingsufficient guarantees to implement appropriate technical and organisational measures so that theprocessing is in line with the GDPR, including Chapter V, as well as to ensure that there is a contract orlegal act governing the processing by the processor.

      Not a transfer until the USG triggers a request, in which case Company Y becomes an independent controller ... though who is the data being transferred to? The USG on compelled order?

    2. Some examples of how personal data could be “made available” are by creating an account, grantingaccess rights to an existing account, “confirming”/”accepting” an effective request for remote access,embedding a hard drive or submitting a password to a file. It should be kept in mind that remote accessfrom a third country (even if it takes place only by means of displaying personal data on a screen, forexample in support situations, troubleshooting or for administration purposes) and/or storage in acloud situated outside the EEA offered by a service provider, is also considered to be a transfer,provided that the three criteria outlined in paragraph 9 above are met.

      Everything is a transfer.

    3. Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in athird countryThe Irish Company X, which is a subsidiary of the parent Company Y in a third country, disclosespersonal data of its employees to Company Y to be stored in a centralised HR database by the parentcompany in the third country. In this case the Irish Company X processes (and discloses) the data in itscapacity of employer and hence as a controller, while the parent company is a processor. Company Xis subject to the GDPR pursuant to Article 3(1) for this processing and Company Y is situated in a thirdcountry. The disclosure therefore qualifies as a transfer to a third country within the meaning ofChapter V of the GDPR.

      The EDPB says "Hahaha, get wrecked"

    4. n addition, this second criterion cannot be considered as fulfilled when there is no controller orprocessor sending or making the data available (i.e. no “exporter”) to another controller or processor,such as when data are disclosed directly by the data subject15 to the recipient.

      No transfer when an action is done directly by a data subject to/from a recipient.

    5. Example 8: Employee of a controller in the EU travels to a third country on a business tripGeorge, employee of A, a company based in Poland, travels to a third country for a meeting bringinghis laptop. During his stay abroad, George turns on his computer and accesses remotely personal dataon his company’s databases to finish a memo. This bringing of the laptop and remote access ofpersonal data from a third country, does not qualify as a transfer of personal data, since George is notanother controller, but an employee, and thus an integral part of the controller (A).19 Therefore, thetransmission is carried out within the same controller (A). The processing, including the remote accessand the processing activities carried out by George after the access, are performed by the Polishcompany, i.e. a controller established in the Union subject to Article 3(1) of the GDPR. It can, however,be noted that in case George, in his capacity as an employee of A, would send or make data availableto another controller or processor in the third country, the data flow in question would amount to atransfer under Chapter V; from the exporter (A) in the EU to such importer in the third country.

      Ah, the employee example. Which of course goes sideways if you start to look at contractors, things get gross.

      Also, 'make the data available' is broad.

    6. Chapter V does not apply to “internal processing”, i.e. where data is not disclosed bytransmission or otherwise made available to another controller or processor, including where suchprocessing takes place outside the EU

      They actually seem to clarify that intra-group processing activities here aren't covered, provided it's truly "internal" - I suspect that if the processing includes contractors, this goes out the window.

    7. Such instruments should, forexample, address the measures to be taken in case of conflict of laws between third country legislationand the GDPR and in the event of third country requests for disclosure of data.

      But how? in the DPA? The point of the transfer mechanism (e.g., SCCs / BCRs) is to be standard. You can't modify them.

      This sounds like a thing the EDPB/EC need to do not controllers/processors directly.

    8. Another situation worth mentioning in this context is when a controller in the EU uses a processor inthe EU subject to third country legislation and there is a possibility that the processor will receivegovernment access requests and, thus, a transfer of personal data will take place if the processor actson such reques

      This is the US Cloud ACT / FISA 702 clause

    9. Example 6: Processor in the EU sends data back to its controller in a third countryXYZ Inc., a controller without an EU establishment, sends personal data of its employees/customers,all of them data subjects not located in the EU, to the processor ABC Ltd. for processing in the EU, onbehalf of XYZ. ABC re-transmits the data to XYZ. The processing performed by ABC, the processor, iscovered by the GDPR for processor specific obligations pursuant to Article 3(1), since ABC is establishedin the EU. Since XYZ is a controller in a third country, the disclosure of data from ABC to XYZ is regardedas a transfer of personal data and therefore Chapter V applies.

      Ugh. So the fact that the processing is done in the EU, even of non-EU data subjects still triggers a transfer event. This just broadens the scope of TRAs and other contractual obligations. Useful to refer back to people who like to argue that the GDPR doesn't apply.

  2. Mar 2021