This blog addresses the question whether an EU processor who is subject to the GDPR is allowed to process special categories of personal data on behalf of a controller outside of the EU who is not subject to the GDPR.
Generally, the controller bears the responsibility for processing special category personal data
Article 9(1) GDPR generally prohibits the processing of special categories of personal data. It does not explicitly differentiate whether this prohibition applies to the controller or processor. In fact, this differentiation is redundant if the controller and processor are both subject to the GDPR, because the controller would be the responsibility bearer to clarify whether processing special categories would be justified by the legal exceptions of Article 9(2) GDPR. Consequently, this question would never meet the processor.
It is possible that the controller is not subject to the GDPR, while the processor still is
The above reasoning is based on the underlying assumption that the GDPR would always apply to both, the controller and the processor. However, on page 12 of its guidelines on territoriality the EDPB has acknowledged a constellation where this assumption can no longer be upheld. It describes a scenario where a non-EU controller is not subject to the GDPR, although its EU processor is. The EDPB reasons that the territorial scope of Article 3(1) GDPR would not automatically make the non-EU controller subject to the GDPR, because “the processor is merely providing a processing service which is not “inextricably linked” to the activities of the controller”1. The EDPB concludes that in such constellation the non-EU controller would not be subject to the GDPR, but the EU processor would be.
If only the processor is subject to the GDPR, what does he need to do regarding the special category personal data?
In this scenario, the processor would only be subject to the “relevant GDPR provisions directly applicable to data processors”(2). The EDPB explicitly lists these GDPR provisions, (3) but unfortunately does not answer whether a processor is allowed to process special categories of personal data on behalf of the controller who is not subject to the GDPR.
To visualize better, let’s draw up the following example. An US controller is obliged by US law to process ethnicity data of its US employees. The US employee makes use of an EU processor. Based on the above, the US controller is not subject to the GDPR, however, the EU processor would be only to the GDPR provisions directly applicable to processors. Who needs now to face the general prohibition of special categories of personal data? The US controller who is not subject to the GDPR or the processor who is only subject to the GDPR provisions directly applicable to processors?
The legal exceptions of Article 9(2) GDPR do not resolve the matter, because they do not apply
If a legal exception to Article 9(2) GDPR applies, processing ethnicity data, for instance, would be justified. The only possible exceptions in this example would be explicit consent or a legal obligation. The requirement for explicit consent does not apply, because the controller is not subject to the GDPR. The legal obligation is limited to EU laws, so that the US obligation to process ethnicity data would not qualify. The result is that special category personal data is processed without a legal exception, which is prohibited under the GDPR.
The processor is left alone with the general prohibition to process special category personal data
The question remains, who needs to deal with the general prohibition to process special categories, the US controller or the EU processor?
Our recommendation for the processor
We think that the best solution would be to allow a processor to process special categories in a situation as described above. The reasons are as follows:
There is no loophole
Nevertheless, the EDPB tries to set some limitations on such processing by stating that “the Union territory cannot be used as a ’data haven’, for instance when a processing activity entails inadmissible ethical issues …”(5). In our view such limitation would not be violated if the processor processes special categories.
A “data haven” would occur if the processor is able to circumvent the general prohibition of processing special category personal data for own purposes. That is not the case for two reasons. First, ethnicity data would only flow through the EU and not stay in the EU for further processing for own purposes. Second, if the processor would use ethnicity data for own purposes, he would turn to a controller and the general prohibition would apply.
In our view, there are no inadmissible ethical issues either. Taking our example, only US citizen ethnicity data would be processed, which is covered by US legislation. It is not further processed in the EU for other purposes, instead, it “flows through” the EU back to the US. Given, that the EU processor would comply with its processor obligations, and the US controller with its US obligations, it cannot be seen as an inadmissible ethical issue for itself.
In conclusion, most likely an EU processor would be allowed to process special categories of personal data on behalf of a controller who is not subject to the GDPR. As this is still unchartered territory, we hope for more concrete guidance and/or case law on this question in the future.
1) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12.
2) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12.
3) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12-13.
4) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 12-13.
5) EDPB (2019) Guidelines 3/2018 on the territorial scope of the GDPR at page 13.