Update: Data Transfer to Third Countries
Update: Data Transfer to Third Countries

Data transfer to third countries occurs frequently in practice. However, errors often occur in the process. The European Data Protection Board (EDPB) has examined this issue in detail due to 101 complaints from the NGO NOYB and has published a paper on the matter.

EDPB Statement on Data Transfer to Third Countries

We summarize the key points below:

  • If data collection is already unlawful due to a lack of legal basis under Article 6(1) GDPR, then the transfer to third countries is also unlawful.
  • Standard Contractual Clauses (SCCs) must be concluded before the data transfer. Data transfer cannot be remedied afterwards.
  • A data transfer cannot rely on an invalid EU-US agreement (e.g., Privacy Shield/Safe Harbor).
  • Additional appropriate safeguards following the Schrems II ruling must compensate for deficiencies in the data protection laws of the country to which the data is transferred.
  • Data encryption is not an appropriate additional safeguard if the data importer possesses the key and would be required to disclose it to their country's authorities.
  • If the data processor is the data exporter, the controller must take responsibility for this.

In addition to these general principles, the EDPB also addresses website operators specifically:

  • The website operator is responsible for data export if they integrate corresponding tools on the website.
  • Anonymization of IP addresses (and likely other data) is not an appropriate measure if it occurs after export.

Practical Tips

Data traffic outside the EEA and outside third countries classified as safe with an adequacy decision often poses a challenge for the data exporter. Errors are common here, especially affecting website owners using US tools. The following points should be considered:

  • Conclusion of (current) SCCs before data export.
  • Assessment of whether additional appropriate safeguards are necessary and their implementation.
  • Anonymization steps should occur before export.
  • Encryption is only helpful if the key does not need to be shared with the data importer, especially if they are obligated to disclose it.
  • If data export cannot be covered by SCCs, consideration can be given to whether an exemption can be utilized. Often, implementation with SCCs is not possible, for example, when additional appropriate safeguards cannot be implemented.


Report of the work undertaken by the supervisory authorities within the 101 Task Force

Do you have further questions in data protection law?

Do you have further questions regarding data export or do you wish to seek advice in other areas of data protection law? Feel free to contact us at office@geuer.at or by phone at +43-1-4380072. We look forward to your inquiry.

Scroll to Top