Processing of special categories as a processor in the EU on behalf of a controller outside of the EU, loophole or legitimate processing?
This blog addresses the question whether an EU processor who is subject to the GDPR is allowed to process special categories of personal data on behalf of a controller outside of the EU who is not subject to the GDPR.
Generally, the controller bears the responsibility for processing special category personal data
Article 9(1) GDPR generally prohibits the processing of special categories of personal data. It does not explicitly differentiate whether this prohibition applies to the controller or processor. In fact, this differentiation is redundant if the controller and processor are both subject to the GDPR, because the controller would be the responsibility bearer to clarify whether processing special categories would be justified by the legal exceptions of Article 9(2) GDPR. Consequently, this question would never meet the processor.
It is possible that the controller is not subject to the GDPR, while the processor still is
The above reasoning is based on the underlying assumption that the GDPR would always apply to both, the controller and the processor. However, on page 12 of its guidelines on territoriality the EDPB has acknowledged a constellation where this assumption can no longer be upheld. It describes a scenario where a non-EU controller is not subject to the GDPR, although its EU processor is. The EDPB reasons that the territorial scope of Article 3(1) GDPR would not automatically make the non-EU controller subject to the GDPR, because “the processor is merely providing a processing service which is not “inextricably linked” to the activities of the controller”1. The EDPB concludes that in such constellation the non-EU controller would not be subject to the GDPR, but the EU processor would be.
If only the processor is subject to the GDPR, what does he need to do regarding the special category personal data?
In this scenario, the processor would only be subject to the “relevant GDPR provisions directly applicable to data processors”(2). The EDPB explicitly lists these GDPR provisions, (3) but unfortunately does not answer whether a processor is allowed to process special categories of personal data on behalf of the controller who is not subject to the GDPR.
Example
To visualize better, let’s draw up the following example. An US controller is obliged by US law to process ethnicity data of its US employees. The US employee makes use of an EU processor. Based on the above, the US controller is not subject to the GDPR, however, the EU processor would be only to the GDPR provisions directly applicable to processors. Who needs now to face the general prohibition of special categories of personal data? The US controller who is not subject to the GDPR or the processor who is only subject to the GDPR provisions directly applicable to processors?
The legal exceptions of Article 9(2) GDPR do not resolve the matter, because they do not apply
If a legal exception to Article 9(2) GDPR applies, processing ethnicity data, for instance, would be justified. The only possible exceptions in this example would be explicit consent or a legal obligation. The requirement for explicit consent does not apply, because the controller is not subject to the GDPR. The legal obligation is limited to EU laws, so that the US obligation to process ethnicity data would not qualify. The result is that special category personal data is processed without a legal exception, which is prohibited under the GDPR.
The processor is left alone with the general prohibition to process special category personal data
The question remains, who needs to deal with the general prohibition to process special categories, the US controller or the EU processor?
Our recommendation for the processor
We think that the best solution would be to allow a processor to process special categories in a situation as described above. The reasons are as follows:
- To assess whether processing personal data is lawful is an exclusive obligation of the controller. Article 5 (1) a GDPR demands that “Personal data shall be processed lawfully” and the same Article 5 (2) GDPR puts this obligation on the controller by stating: “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1”.
- There is no indication in the GDPR that exclusive controller obligations should be extended to processors in cases where only the processor is subject to the GDPR. The EDPB explicitly states that only GDPR provisions directly applicable to processors should apply to the processor.(4)
- A mandatory Data Processing Agreement (“DPA”) does not require a processor to check for legal exceptions for special category processing. On the contrary, Article 28 (3) GDPR explicitly states that a DPA “…sets out […] the obligations and rights of the controller…”.
- Chapter IV of the GDPR sets out provisions for controllers and processors. Article 24 (1) of that chapter explicitly states that “… the controller shall implement […] and […] be able to demonstrate that processing is performed in accordance with this regulation.”
- Recital 81 GDPR stresses that a processor needs to “demonstrate compliance with the obligations of the controller.” That does not mean that a processor would need to assess the lawfulness of processing in cases where the controller has not done so. It rather requires the processor to have appropriate technical and organizational measures to safeguard the personal data processing adequately. The idea is, that if a controller is “compliant”, the personal data processing should not be undermined by using a ”non-compliant” processor. It does not mean that if a controller is not subject to the GDPR, the controller obligations should move to the processor.
There is no loophole
Nevertheless, the EDPB tries to set some limitations on such processing by stating that “the Union territory cannot be used as a ’data haven’, for instance when a processing activity entails inadmissible ethical issues …”(5). In our view such limitation would not be violated if the processor processes special categories.
A “data haven” would occur if the processor is able to circumvent the general prohibition of processing special category personal data for own purposes. That is not the case for two reasons. First, ethnicity data would only flow through the EU and not stay in the EU for further processing for own purposes. Second, if the processor would use ethnicity data for own purposes, he would turn to a controller and the general prohibition would apply.
In our view, there are no inadmissible ethical issues either. Taking our example, only US citizen ethnicity data would be processed, which is covered by US legislation. It is not further processed in the EU for other purposes, instead, it “flows through” the EU back to the US. Given, that the EU processor would comply with its processor obligations, and the US controller with its US obligations, it cannot be seen as an inadmissible ethical issue for itself.
Conclusion
In conclusion, most likely an EU processor would be allowed to process special categories of personal data on behalf of a controller who is not subject to the GDPR. As this is still unchartered territory, we hope for more concrete guidance and/or case law on this question in the future.
____________________________________________________________
1) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12.
2) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12.
3) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12-13.
4) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12-13.
5) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 13.