Contributed By Luther Rechtsanwaltsgesellschaft mbH (Cologne)
When processing data, it must be taken into account whether the outsourcing involves a data transfer or whether there is only a so-called order processing. The concept of data transfer is regulated in Article 4 paragraph 2 of the GDPR. During order processing, personal data are disclosed by the responsible office to other persons or third parties. In the case that the provider undertakes data processing on behalf of the customer as data controller, it is mandatory to conclude a separate data processing agreement in accordance with Article 28 of the GDPR.
For the legality of data transfer outside the EU or EEA, the general principles of Article 44 of the GDPR must be observed. If data leaves the scope of EU data protection law, there is a risk of unrestricted use of the data in the country of the recipient as well as uncontrolled return to the EU. For the transfer of personal data to a recipient in a third country, the transfer must not only comply with other provisions of the GDPR (eg, an appropriate level of protection), but at least one of the conditions of authorisation in Articles 45 to 49 of the GDPR must also subsist.