As a company acting as processor under a processing agreement, I have employees who will work in Ukraine and access entrusted data there. The agreement prohibits transferring data to third countries — what should I do?

ANSWER

It should first be noted that, as a rule, a transfer of data outside the EEA means that processing includes any operation as a result of which personal data are physically transferred to a third country, i.e. cross its borders. In the case described, personal data will not be transferred to another independent entity (i.e. another controller or processor) but will be processed by the processor's employees permanently located in Ukraine, i.e. outside the EEA. Making those data available to employees will therefore fall within a 'transfer of data outside the EEA boundaries' and we will therefore be dealing with processing outside the EEA.

In his commentary on Article 44 GDPR, Paweł Fajgielski notes that "The literature on the subject indicates that a broad understanding of the concept of transferring personal data to a third country should be adopted, which should cover all actions aimed at the physical transfer of personal data to a third country ('movement' of data across state borders, sending, transmission of data, etc.) regardless of the form of the data and the manner of such transfer (e.g. via telecommunications networks, transfer on a data carrier, transfer of a paper document)" (P. Fajgielski, in: General Data Protection Regulation. Personal Data Protection Act. Commentary, 2nd ed., Lex/el. 2022, art. 44, thesis 4).

If the controller has excluded the possibility of transferring data outside the EEA in the processing agreement, the processor's employees cannot lawfully process personal data in Ukraine. In that case, an amendment to the processing agreement will be necessary, e.g. by addendum.