On Fri, 25 May 2018 at 13:03, Paul Smith <p...@pscs.co.uk> wrote: > On 25/05/2018 11:22, Stefano Bagnara wrote: >> On Fri, 25 May 2018 at 11:55, Paul Smith <p...@pscs.co.uk> wrote: >>> [...] >>> If someone sends a message from the UK to someone in the USA, by >>> definition, we must send that email outside of the EU. When we send the >>> email, we are sending personal data (eg usually the name/email address >>> of the sender never mind the content which could be anything (outside >>> our control)). That causes issues for GDPR.
>> NO, you are not transferring them as processor. > Why not? We are 'processing' personal data on behalf of the controller. > "Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller." > "Processing means any operation or set of operations which is performed on personal data or on sets of personal data....", including such basic things as storage and erasure of data. If simply storing data on someone's behalf is 'processing', then distributing an email certainly is (at the very least, the data is temporarily stored, and then erased, both of which are explicitly listed as 'processing') OK, but there's no problem with transferring data when the controller ask you to do that. GDPR - Article 28 - Processor, about the contract between the controller and the processor (the one your customer is asking you to sign): "That contract or other legal act shall stipulate, in particular, that the processor: ....(a) processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation," So your DPA/contract will simply tell that you won't transfer data to another country unless undire direct instructions of the controller, and the controller sending an email is a direct instruction, IMHO. That's different than a Processor that by its own decision, decide to use Amazon SES as "other processor" (sub-processor) for the delivery and by doing this, move the data to another country (and also adopts a new processor): both of them have to be notified, and sometimes needs a prior agreement by the controller. IANAL, Stefano _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop