Privacy Company Blogs


Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Controllers and Processors

Processing of special categories as a processor in the EU on behalf of a controller outside of the EU, loophole or legitimate processing?

 Generally, the controller bears the responsibility for processing special category personal dataArticle 9(1) GDPR generally prohibits the processing of special categories of personal data. It does not explicitly differentiate whether this prohibition applies to the controller or processor. In fact, this differentiation is redundant if the controller and processor are both subject to the GDPR, because the controller would be the responsibility bearer to clarify whether processing special categories would be justified by the legal exceptions of Article 9(2) GDPR. Consequently, this question would never meet the processor. It is possible that the controller is not subject to the GDPR, while the processor still isThe above reasoning is based on the underlying assumption that the GDPR would always apply to both, the controller and the processor. However, on page 12 of its guidelines on territoriality the EDPB has acknowledged a constellation where this assumption can no longer be upheld. It describes a scenario where a non-EU controller is not subject to the GDPR, although its EU processor is. The EDPB reasons that the territorial scope of Article 3(1) GDPR would not automatically make the non-EU controller subject to the GDPR, because “the processor is merely providing a processing service which is not “inextricably linked” to the activities of the controller”1. The EDPB concludes that in such constellation the non-EU controller would not be subject to the GDPR, but the EU processor would be.
Controllers and Processors