Scope of data transfers - what counts as a transfer
The GDPR does not define 'transfer'. A key distinction is that a transfer is not the same as mere transit: it is the processing in the third country that completes a transfer. Random technical routing and brief remote access by travellers are not transfers; the Lindqvist case held that merely loading data onto a website is not a transfer to every country that can access it.
The GDPR does not define the concept of transfer. The book's key rule: transfer is not the same as transit - it is the processing in the third country that completes the 'transfer'. Routing data through a third country en route does not trigger the restriction unless some substantive processing happens there.
| Situation | Why not a transfer |
|---|---|
| Technical routing of packet-switch traffic (email, webpages) across servers worldwide | Random routing, no substantive processing operation in the third country |
| A traveller in a foreign airport logs on remotely to an EU system to access data | Brief electronic access by a person physically abroad - no processing in the third country |
| Loading personal data onto a website hosted in a member state (Lindqvist) | Mere publication accessible to anyone online is not a transfer to every country that connects |
If information is given by phone from the EU to someone in a third country who then enters it into a computer with the intention of automatic processing, that counts as a transfer - even though the original spoken exchange was not itself processing.