Skip to main content

Nothing to risk – data transfers to third countries under the GDPR


Due to their extreme importance in an increasingly digitalised and globalised economy, data transfers to third countries have been in the focus of public attention not only since the Schrems II ruling of the European Court of Justice.

Nevertheless, there is still a great deal of uncertainty in the business community as to what is meant by an “essentialy equivalent level of protection” and how this can be achieved in practice. Therefore, it is important for companies to know how the competent supervisory authorities understand the term " essentially equivalent level of protection" and whether a risk-based approach meets their requirements.


Nothing to risk – data transfers to third countries under the GDPR

Following the Schrems II-ruling, the European Data Protection Board (EDPB) adopted recommendations regarding supplementary measures when transferring data to countries outside of the EU/EEA, so-called third countries. The Danish Data Protection Agency has also updated its guidelines on transfers to third countries, which now takes these recommendations from the EDPB into account.

The adopted recommendation contains several steps, that should be taken, in order to ensure a level of protection which is “essentially equivalent” to that which the GDPR offers, when data is transferred to a third country. The data controller must assess whether there is anything in the third country’s legislation or practice which prevents the data processor from complying with their obligations under the GDPR and the chosen transfer mechanism. If the data controller finds that the legislation or practice of the third country means that the data processor cannot comply with their obligations, and therefore cannot ensure “essentially equivalent” protection, supplementary measures must be adopted.


A risk-based approach?

The recommendations from the EDPB has left many with the impression that transfers to third countries are now to be based on risk/impact assessment. However, the Danish Data Protection Agency are of the opinion that the recommendations do not support a risk-based approach to transferring data to third countries. The Danish Data Protection Agency, rejects risk-based approach to transfer, based on the fact that EDPB received a high number of consultation responses requesting a risk-based approach, and still the EDPB did not state this, which would have been natural and straight forward, if the EDPB meant that a risk-based approach should be used.  

Therefore in the opinion of the Danish Data Protection Agency, all transfers must be based on “objective” and “quantifiable“ criteria. There is – in their opinion no basis to for flexibility when it comes to the “essentially equivalent” protection. In the words of the Danish Data Protection Agency, the protection of personal data being transferred to third countries, must “not only be essentially equivalent in every single instance, but in each and every single instance -  95% of the instances is not enough.”  


Very narrow scope for transfer

Even though the EDBP recommendations concern all third countries, the European Court of Justice has already ruled on what they think of US legislation in relation to data protection, and the recommendations leave this scenario unchanged. In the light of their opinion regarding the risk-based approach, the Danish Data Protection Agency have stated, that the ruling of ECJ and EDPB recommendations only leave a very narrow scope for using services which transfers data to the US – and therefore also other third countries with similar legal setups, which would be a very high number of third countries


Article provided by: Claas Thöle (NJORD, Denmark)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

Cloud Privacy Check (CPC). Data Privacy Compliance in the Cloud Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.


About Us

EuroCloud is an independent non-profit organization and consists of a two-tier setup where organisations form all European countries can apply to participate in as long as they respect the EuroCloud Statutes.

To act as a true European player, all programs that are developed are intended to be European activities. These European programs are the strength of EuroCloud as a whole. Respect to local cultures along with the will to promote a real European spirit.