Third country transfers of personal data under the GDPR: A review on remote access to personal data for business purposes In the light of C-311/18 Schrems II and new practices from the European Data Protection Board

Abstract

Remote access to data has increased significantly in resent years, encompassing everything from cloud service providers to other types of file-sharing between business partners and their employees. To give a review on the legal landscape of third country transfers this thesis offers an assessment on whether remote access in fact constitutes a "transfer" as understood in Chapter V of the GDPR. Furthermore, the standard of essentially equivalent protection is then highlighted to illustrate the level of protection transfer tools and additional safeguards necessarily needs to provide. Subsequently this thesis offers an illustration of transfer tools such as adequacy decisions, Standard Data Protection Clauses and Binding Corporate Rules to provide an in-depth understanding of the impact Schrems II has had on third country transfers of personal data. Finally the thesis provide an overview of possible additional safeguards for the cases of remote access to data, as highlighted by the European Data Protection Board.