Best practices

Why is it better to process personal data within the European Economic Area (EEA)? Consequences for controllers

Katarzyna Garbaciak, 24 February 2022


Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our services based on our know-how and technology. Confirmation of the care for information security is the successfully completed certification audit and supervision audit of the Information Security Management System according to the ISO/IEC 27001:2013 standard, the scope of which concerns the ‘Creation, maintenance and development of electronic communication solutions, including SMS emails, pushes in the CPaaS model’. We are also preparing for an audit in the area of ISO 27018 Cloud data security.

Is the use of foreign, especially American, solutions such as smtp, email api safe and what does this mean for controllers? Do you transfer personal data such as your clients’ e-mail addresses outside the EEA? – Be sure to read our study.

Company headquarters and servers located in the EEA.

  • The processing of personal data outside the EEA is treated more strictly by the GDPR and requires compliance with additional requirements that do not need to be met in relation to processing within the EEA.
  • Thus, processing outside the EEA raises additional risks of breaching the provisions of the GDPR and incurring fines. There is a less severe penalty for transferring data to an inappropriate entity in the EEA than for illegal transfer of data outside the EEA.
  • Entrusting data processing to an entity having both its registered office and servers in the EEA limits the scope of activities that the data controller has to perform in relation to the entrustment.

Transfer of personal data outside EEA

As far as transfers outside the EEA are concerned, countries can be divided into two basic groups: countries for which the European Commission has issued a decision establishing an adequate level of data protection, and countries for which no such decision has been issued. In the case of countries for which a European Commission decision has been issued, the transfer of data to them can, in principle, be treated as equivalent to an intra-EEA transfer. However, the USA is not included in this group of countries. On 16 July 2020, the Court of Justice of the EU, in the case of Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (the so-called Schrems II case), ruled that the Commission’s decision for the USA, the so-called Privacy Shield, does not meet the adequacy requirement and does not comply with the GDPR.

This means that additional prerequisites must be met in order to transfer data to the US, in particular:

The so-called standard contractual clauses may be used in an agreement with the US processor and, in addition, the legislation of that country may be examined, determining whether it provides an adequate level of protection (as indicated in the cited Shrems II judgement). The Shrems II judgement determines that US legislation does not provide such protection.

Therefore, in accordance with the guidelines of the European Data Protection Board, when transferring data to the USA, the service provider should be required not only to conclude a processing entrustment agreement based on standard contractual clauses, but also to provide additional safeguards (inter alia adopting and documenting technical measures ensuring more adequate protection by making the data more difficult to access, e.g. encryption, pseudonymisation, further monitoring of changes in third country legislation).

If the above conditions are not met, it is exceptionally possible to invoke additional, specific consent of the data subject for the transfer of data outside the EEA or grounds other than the consent, which, however, are not widely used in practice (Article 49 of the GDPR).

If these conditions are not met, sharing personal data with a US supplier should be considered illegal and giving rise to a risk of penalty.

Differences in entrusting data to EEA and non-EEA entities from a data controller’s perspective.

  EOG Outside the EEA (refers to countries for which there is no appropriate European Commission decision, including the USA)
What needs to be investigated before entrusting? Verifying whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security (Article 28 of the GDPR) Verifying:
– whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security(Article 28 of the GDPR)
– a multi-level legal analysis of the admissibility of the transfer of data to a specific country (Article 44 et seq. of the GDPR).
In the case of the USA, it is most often necessary to investigate whether:
– the supplier’s agreement is based on standard contractual clauses, and
– the supplier provides additional data protection measures.
Alternatively, it is possible to transfer data after obtaining specific consent or meeting other prerequisites of Article 49 of the GDPR, which are not often used in practice.
Protection measures No obligation to implement additional protection measures (standard level of protection adequate to the risk). The requirement to implement additional protection measures by:
– identifying all personal data processing operations to a third country,
– verifying whether, in the context of a specific operation, the processing outside the EEA could adversely affect the effectiveness of the applied security measures,
– adopting technical measures which are necessary to ensure that the level of protection of transferred data in a country outside the EEA is adequate to that guaranteed under the GDPR (e.g. pseudonymisation, encryption, etc.),
– monitoring changes in the legislation of a given country and reacting to the changes by introducing additional security measures in the agreement with the processor.
Information obligations towards data subjects No additional information obligations. The need to inform users of the company’s services of the intention to transfer data to third countries (as a result of cooperation with an entity processing data in a country outside the EEA), together with an indication of the safety measures applied and information on whether or not the European Commission has recognised an adequate level of protection.
Possible penalty for violation Possible breach of Article 28 of the GDPR, which is punishable by a fine of up to EUR 10,000,000 or up to 2% of its total annual worldwide turnover from the previous financial year. Possible violation of both Article 28 and additionally Article 44 et seq. of the GDPR. Punishable by a fine of up to EUR 20,000,000 or up to 4% of its total annual worldwide turnover from the previous financial year.
Internal documentation concerning personal data processing No additional obligations. The need to include additional entries in the Register of Processing Activities and to perform the analyses indicated above.
Enforceability of claims against the processor Possibility to enforce claims based on Polish law and EU law with regard to cross-border disputes. The actual possibility of enforcing claims varies from country to country. There is a risk that the litigation cannot be conducted in Poland and on the basis of Polish law (or EU law), or that the judgement of a Polish court may not be recognised in a country outside the EEA.

As you can see, there are many aspects to consider when planning to use foreign solutions to process Customer data. It is worth being aware of the differences in order to avoid unpleasant consequences and to prepare appropriately in procedural and legal terms.

The material was prepared with the assistance of attorney Maciej Jankowski, a partner of the law firm Media. The attorney’s areas of expertise include, among others, new technology law, including intellectual property law, personal data protection law and specific aspects of telecommunications law.

Most popular

Latest blog posts