Concept and legal classification of third-country territory
The term “third-country territory” is widely used in German and European law and describes areas outside specifically defined states or state communities, for example outside the European Economic Area (EEA) or the European Union (EU). The legal provisions, distinctions, and consequences arising from the classification as a third-country territory are significant in numerous legal matters, especially in tax law, customs law, data protection law, and foreign trade law. This article provides a detailed examination of the manifold legal aspects of the term, its delimitation, and its practical relevance in various areas of law.
Legal sources and definitions
Distinction between EU territory and EEA
In the legal context, third-country territory refers to areas that do not fall within the territorial scope of specific international agreements, particularly the European Union or the European Economic Area. The counterpart is the so-called “Community territory,” which describes the territorial scope of the legislating community. These two terms have a complementary relationship.
Legal term content in laws and regulations
The legal definition of third-country territory is provided in various laws and legal regulations, for example in:
- Section 1a VAT Act (UStG) in Germany: Specifies that third-country territories are those areas that are not Community territory within the meaning of VAT law.
- Art. 3 EU VAT System Directive (VAT Directive): Defines third-country territories as territories that are not part of the Union territory.
- Art. 2 General Data Protection Regulation (GDPR): For the scope of the GDPR, third country describes a country outside the European Economic Area.
In other areas of law, such as customs law or foreign trade law, there are sometimes different definitions of the term.
Third-country territory in tax and duties law
VAT law
In German VAT law, the term third-country territory plays a central role. To determine whether a supply or service qualifies as an export supply or an intra-Community supply and may therefore be tax-exempt, the territorial distinction between Community territory and third-country territory is decisive.
- Community territory: Includes the customs territory of the European Union with certain exceptions (e.g., Heligoland, Büsingen).
- Third-country territory: All countries and territories outside the Community territory.
The precise delimitation is set out in Section 1 (2a) VAT Act (UStG) For transactions relating to third-country territories, special VAT rules apply, especially regarding tax exemptions and proof of export.
Customs law and customs union
Under the customs law of the European Union, the third-country territory is any region that is not part of the EU customs territory. However, special regulations apply to special territories (e.g., Canary Islands, French overseas territories), which are partially excluded from the Community and/or customs territory and are thus treated as third-country territories, even though they are politically part of the EU.
Foreign trade law
In foreign trade law, third-country territories are particularly relevant in relation to licensing requirements, embargoes, or trade sanctions. The legal treatment of trade transactions, exports, transits, and services often depends on whether a business transaction is carried out with a third-country territory.
Third-country territory in data protection law
Importance in international data protection
Within the scope of the General Data Protection Regulation (GDPR), third-country territories are countries outside the European Economic Area. The transfer of personal data to these areas is only permitted under certain conditions.
Legality of data transfers to third-country territories
A data transfer to a third-country territory requires either an adequate level of data protection in the respective territory or suitable safeguards (such as standard contractual clauses or binding internal data protection rules). If such a guarantee is lacking, a transfer is only allowed in exceptional cases pursuant to the GDPR. The European Commission assesses and identifies certain states (e.g., Japan, Canada, Switzerland) as secure third countries and certifies that they have an adequate level of data protection (so-called adequacy decision).
Special cases and specific regulations
Peculiarities of individual territories
Certain territories that politically belong to the EU or to an EU Member State may, for specific purposes, be considered as third-country territory. Examples include:
- Canary Islands: Part of Spain, but not part of the EU VAT territory.
- French overseas territories: Various statuses depending on the area of law.
- Büsingen am Hochrhein (Germany): Belongs to German territory, but not to the EU customs territory.
- Heligoland: Considered a third-country territory for VAT purposes.
These special regulations are explicitly listed in relevant laws, ordinances, or annexes to EU directives.
Third-country territory and international agreements
WTO and trade agreements
In international negotiations, trade agreements, and in the context of the World Trade Organization (WTO), the term third country or third-country territory is often central for assessing tariffs, market access regulations, and rules of origin for goods.
Schengen and visa law
In the area of Schengen law and European visa regulations, third-country territory refers to any state that does not participate in the Schengen Agreement. This directly affects entry formalities as well as the application of visa regulations.
Case law and administrative practice
To clarify the exact scope and application of the term in individual cases, the interpretation by national and European courts as well as the administrative practice of the competent authorities must regularly be taken into account. Key decisions of the European Court of Justice (ECJ) and national administrative directives illustrate how questions of delimitation with regard to specific third-country territories are to be resolved.
Practical significance of the term third-country territory
The term third-country territory is of considerable practical relevance for businesses, organizations, and individuals. Correct application is essential for compliance with tax, customs, and data protection obligations. Incorrect classifications can lead to significant legal and financial disadvantages, for example in the context of customs controls, tax audits, or data transfers.
Summary
Under German and EU law, third-country territory describes areas that do not fall within the territorial scope of certain international organizations such as the EU or the EEA. The classification as a third-country territory has a significant impact on legal treatment in tax, customs, foreign trade, and data protection matters. Due to the complexity of the legal areas, the term plays a central role in numerous fields of law. The precise delineation and associated legal consequences are complex and subject to a multitude of area-specific rules, regulations, and exceptions.
Frequently asked questions
What legal requirements apply to the transfer of personal data to a third-country territory?
The transfer of personal data to a third-country territory is, under the General Data Protection Regulation (GDPR), generally only permissible if an adequate level of data protection can be ensured in the respective third country. This may be achieved either by an adequacy decision of the European Commission pursuant to Art. 45 GDPR or, if such a decision does not exist, by suitable safeguards such as standard contractual clauses, binding corporate rules (BCR), or specific contractual arrangements under Art. 46 GDPR. In addition, clear information must be provided to the data subjects, as well as ensuring their right to object and to lodge a complaint. Companies may need to take supplementary measures to guarantee an adequate level of protection, especially following the requirements of the Court of Justice of the European Union (CJEU) in the “Schrems II” decision. Data controllers are required to carry out a comprehensive risk analysis and, if necessary, a data protection impact assessment. If neither an adequacy decision nor suitable safeguards are present, the transfer may only be carried out in exceptional cases under Art. 49 GDPR, for example with explicit consent or for the performance of a contract.
What role do standard contractual clauses play for transfers to a third-country territory?
Standard contractual clauses (SCC) are contractual templates adopted by the European Commission that are intended to ensure an adequate level of protection when transferring data to a third-country territory. They bind the contracting parties to specific data protection obligations and provide enforceable rights for data subjects. In practice, SCC must be adopted unchanged and supplemented with additional technical or organizational measures when the level of protection in the third country does not match that of the EU. Following the CJEU’s “Schrems II” decision, companies are obliged to independently assess the effectiveness of SCC in the third country, especially in regard to governmental access and the legal remedies available to data subjects. If standard contractual clauses are not sufficient, data transfers should not take place or other protective measures must be implemented.
What obligations do controllers have before transferring data to a third-country territory?
Controllers are required to carefully assess the level of data protection in the destination country before any transfer of personal data to a third-country territory. This includes evaluating whether an adequacy decision by the European Commission exists or whether suitable safeguards, such as standard contractual clauses or binding corporate rules, must be implemented. They must also appropriately inform affected data subjects, particularly of any risks related to the transfer. If necessary, a data protection impact assessment under Art. 35 GDPR must be carried out, especially if the processing is likely to result in a high risk to the rights and freedoms of individuals. Additionally, controllers must implement appropriate technical and organizational measures to protect the data and regularly review and document compliance.
What special rules apply to processing by service providers in a third-country territory?
When engaging processors in a third-country territory, extended legal requirements apply. The transfer is only permitted if the processor provides sufficient safeguards for an adequate level of data protection. Controllers must conclude a GDPR-compliant contract with the processor that governs the processing of personal data and the implementation of technical and organizational measures. Suitable transfer tools such as standard contractual clauses must also be integrated. Audit and control rights for the controller play a central role, as do transparency obligations and the requirement that the processor also subjects subcontractors (so-called sub-processors) to GDPR requirements. The controller remains fully liable for the lawfulness of the data processing.
What legal consequences result from unlawful data transfers to a third-country territory?
Unlawful data transfers to a third-country territory may result in substantial legal and financial consequences. The competent supervisory authorities are empowered to impose penalties in the form of fines, which depending on the severity of the violation can reach up to 20 million euros or 4% of the total worldwide annual turnover of the preceding financial year (pursuant to Art. 83 GDPR). There is also the risk of civil liability claims by data subjects for damages under Art. 82 GDPR. In addition, further data transfers may be prohibited and orders issued for the retrieval or deletion of already transferred data. Furthermore, reputational damage may result for the responsible company.
How do national special regulations of EU Member States affect data transfers to third-country territories?
In addition to the requirements of the GDPR, individual EU Member States can set stricter or more specific provisions regarding international data transfers within the framework of opening clauses, especially for particularly sensitive data such as health or employment data. This may mean that additional approval procedures, information, or safeguarding obligations apply to certain types of data or processing activities. Controllers therefore must regularly inform themselves about the national legislation and the administrative interpretation based thereon to ensure compliance not only with EU-wide requirements but also with national law and to protect themselves from sanctions.
What is the significance of Binding Corporate Rules (BCR) for data transfer within a group of companies with a third-country connection?
Binding Corporate Rules, or BCRs, are company-internal data protection regulations that allow internationally operating corporate groups to structure transfers of personal data within the group—including outside the European Economic Area—in a legally secure manner. BCRs must be approved by the competent data protection supervisory authority and guarantee a level of data protection comparable to the GDPR. BCRs include binding obligations relating to data protection principles, data subject rights, complaint procedures, responsibilities, and, if applicable, liability issues within the corporate group. They thus provide a flexible but legally demanding means of legitimizing internal group data transfers more permanently than, for example, standard contractual clauses.
