Also note IAPP's analysis of what Article 3 requires in this situation:
".. the GDPR should only trigger limited processor obligations when, for example, a U.S. controller (not subject to EU law) involves an EU processor rather than impose the full scope of the GDPR upon such U.S. controller (because it involves an EU processor). They clearly rejected the alternative (in the current directive) whereby any data transferred by a U.S. controller (or another non-adequate country) to the EU processor attracted the full scope of EU data protection law."
https://iapp.org/news/a/gdpr-conundrums-the-gdpr-applicability-regime-part-2-processors/
WP179 also bears careful reading. https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2010/wp179_en.pdf
Particular situations will have different results. In general I think GDPR is likely to bite on a non-EU controller to require an Art 28 compliant agreement with an EU processor, but once that is in place the simple return of the data to (or access by) the controller should not be regarded as a 'transfer'.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
