Nothing to risk – data transfers to third countries under the GDPR


Due to their extreme importance in an increasingly digitalised and globalised economy, data transfers to third countries have been in the focus of public attention not only since the Schrems II ruling of the European Court of Justice.

Nevertheless, there is still a great deal of uncertainty in the business community as to what is meant by an “essentialy equivalent level of protection” and how this can be achieved in practice. Therefore, it is important for companies to know how the competent supervisory authorities understand the term " essentially equivalent level of protection" and whether a risk-based approach meets their requirements.


Nothing to risk – data transfers to third countries under the GDPR

Following the Schrems II-ruling, the European Data Protection Board (EDPB) adopted recommendations regarding supplementary measures when transferring data to countries outside of the EU/EEA, so-called third countries. The Danish Data Protection Agency has also updated its guidelines on transfers to third countries, which now takes these recommendations from the EDPB into account.

The adopted recommendation contains several steps, that should be taken, in order to ensure a level of protection which is “essentially equivalent” to that which the GDPR offers, when data is transferred to a third country. The data controller must assess whether there is anything in the third country’s legislation or practice which prevents the data processor from complying with their obligations under the GDPR and the chosen transfer mechanism. If the data controller finds that the legislation or practice of the third country means that the data processor cannot comply with their obligations, and therefore cannot ensure “essentially equivalent” protection, supplementary measures must be adopted.


A risk-based approach?

The recommendations from the EDPB has left many with the impression that transfers to third countries are now to be based on risk/impact assessment. However, the Danish Data Protection Agency are of the opinion that the recommendations do not support a risk-based approach to transferring data to third countries. The Danish Data Protection Agency, rejects risk-based approach to transfer, based on the fact that EDPB received a high number of consultation responses requesting a risk-based approach, and still the EDPB did not state this, which would have been natural and straight forward, if the EDPB meant that a risk-based approach should be used.  

Therefore in the opinion of the Danish Data Protection Agency, all transfers must be based on “objective” and “quantifiable“ criteria. There is – in their opinion no basis to for flexibility when it comes to the “essentially equivalent” protection. In the words of the Danish Data Protection Agency, the protection of personal data being transferred to third countries, must “not only be essentially equivalent in every single instance, but in each and every single instance -  95% of the instances is not enough.”  


Very narrow scope for transfer

Even though the EDBP recommendations concern all third countries, the European Court of Justice has already ruled on what they think of US legislation in relation to data protection, and the recommendations leave this scenario unchanged. In the light of their opinion regarding the risk-based approach, the Danish Data Protection Agency have stated, that the ruling of ECJ and EDPB recommendations only leave a very narrow scope for using services which transfers data to the US – and therefore also other third countries with similar legal setups, which would be a very high number of third countries


Article provided by: Claas Thöle (NJORD, Denmark)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.