Third Country Service Provider:
Legally compliant third country transfer
In times of digitalization, agile IT solutions are essential for companies. In addition to continuous system performance, the focus is on individual customer requirements. This flexibility is impossible without service providers, who rely on other (international) subcontractors.
Data Transfer and Third Countries
As part of its activities, it is often essential for the service provider to access the personal customer data of its clients. This requires either that the data is physically forwarded, for example, for storage in a cloud, or that the service provider has direct access to the data, for example, through remote support services. The client is responsible for agreeing on an appropriate level of data protection with its service provider to minimize the risk of processing for the data subjects. The processing of personal data then takes place based on a data processing agreement (DPA). Appropriate technical and organizational measures, in turn, ensure the security of data processing.
If the service provider is based within the EU or the EEA and provides its services from this region, it is directly subject to the EU General Data Protection Regulation (GDPR). Under these conditions, there is also a high level of data protection.
Other legal provisions apply if the service provider is outside the EU/EEA or involves other subcontractors who provide their services from such a so-called third country; other legal requirements apply. In these cases, the level of data protection may differ from that defined as appropriate by the GDPR. In these circumstances, further conditions must be met and guarantees required to ensure an adequate level of data protection. The service provider is responsible for fulfilling the data protection requirements agreed upon with the client throughout the entire chain of its sub-processors.
Guarantees for a Secure Third Country Transfer
Data protection legislation provides for several instruments that allow data to be transferred securely to a country outside the EU/EEA.
- The most frequently used guarantee is the so-called EU standard contractual clauses, which are concluded in addition to the data processing agreement. The current version of these clauses - issued by the European Commission in June 2021 - has a modular structure and can be used in several constellations. In the context of order processing, such an agreement between the processor and (sub)processor is standard practice.
- A risk assessment (transfer impact assessment) is again required in connection with the standard contractual clauses. The data exporter must check the legal situation or the level of data protection in the third country and assess whether the recipient may be forced by applicable law in the third country to violate the provisions of the contracts. If this is the case, additional data security measures must be taken.
- For example, multinational corporations can secure data transfer via Binding Corporate Rules (BCR). BCRs are binding internal company data protection regulations that create an appropriate level of data protection and make it possible to transfer personal data to subsidiaries in third countries. These regulations, therefore, also represent a suitable guarantee for third-country transfers. However, they must be approved by the supervisory authority.
- Transferring personal data to a third country is also possible based on an adequacy decision. The European Commission takes this decision if it determines that the level of protection in a particular country is equivalent to that of the GDPR. If such an adequate decision exists, the data may be transferred to this country without further guarantees. However, it should be noted that the scope of the respective choices may differ from country to country. For example, the EU-U.S. Data Privacy Framework only applies to participating companies in the USA.
The EU-U.S. Data Privacy Framework (DPF)
The EU-U.S. Data Privacy Framework (DPF) has recently become highly relevant for data transfers to the USA. It came into force on July 10, 2023, and provides a guarantee for third-country transfers in the form of an adequacy decision. The DPF enables legally compliant data transfers to those US companies that have expressly certified themselves for this purpose.
It is the third agreement between the EU and the USA on data transfer, after the European Court of Justice declared its predecessors Safe Harbor (Schrems I ruling, 2015) and Privacy Shield (Schrems II ruling, 2020) invalid. Max Schrems, an Austrian data protection activist, had initiated the lawsuits due to the inadequate level of US data protection.
The DPF now includes further guarantees for data protection and a strengthening of the rights of affected EU citizens. In particular, a two-tier redress system has been set up to simplify complaints by affected EU citizens and enable them to challenge decisions made. The activities of the intelligence services will be monitored more closely, and access to data will be limited to what is necessary and proportionate to protect US national security. Certified companies must comply with regulations such as purpose limitation, information obligations, and the fulfillment of data subjects' rights and are subject to regular inspections.
It remains to be seen how long the DPF will remain in force. The security laws of the USA have not changed due to the new adequacy decision, and Max Schrems, therefore, already has the subsequent lawsuit in the drawer. In addition, European data protection authorities have already voiced initial criticism of the adequacy of the measures.
However, the DPF currently provides a valid guarantee for transferring personal data to the USA, thus significantly improving the conditions for data transfer. All major hyperscalers are among the participating companies.
Arvato Systems has been working successfully for years with service providers within the EU/EEA and in the USA and other countries outside Europe, to provide the best possible services. In particular with Microsoft in particular, we have a long-standing partnership. With our expertise in the entire Microsoft Cloud, we support our customers in the digital transformation and advise them in the context of Microsoft 365, among other things. We always keep an eye on the legal framework and, as an IT specialist, the requirements of our clients and thus ensure an appropriate level of protection for the personal data entrusted to us.