On November 18, the European Data Protection Board (“EDPB”) released draft guidelines on the interplay between Article 3 GDPR – which sets out the GDPR’s territorial scope – and the provisions in Chapter V of the GDPR, which impose restrictions on international data transfers. In this draft guidance, the EDPB clarifies which (cumulative) criteria must be fulfilled in order to have a transfer of personal data to a third country or to an international organization, under the GDPR. The EDPB also discusses some of the consequences of international data transfers, in terms of making sure that appropriate safeguards are provided when transferring personal data outside of the EU.
The EDPB identifies three cumulative criteria that qualify a “processing” as a “transfer” under the GDPR:
- A controller or processor (“exporter”) is subject to the GDPR for the given processing;
- This exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”);
- The importer is in a third country or is an international organization, irrespective of whether or not this importer’s processing is subject to the GDPR.
The first criterion requires that there is a) a controller or processor “exporting” personal data, and b) the controller or processor is subject to the GDPR for the given processing. There is therefore no transfer if personal data are disclosed directly and on their own initiative by data subjects in the EU to a controller or processor outside of the EU. Controllers and processors not established in the EU but subject to the GDPR per Article 3(2) (e.g., because they offer goods or services to individuals in the EU or monitor their behavior) must also comply with Chapter V GDPR when transferring the personal data to a third country or to an international organization. The draft guidance further emphasizes that a processor established in the EU and processing personal data for a controller that is not established in the EU, must comply with Chapter V GDPR when transferring the personal data back to the controller outside of the EU.
The second criterion requires that the personal data are transmitted or otherwise made available from a controller or processor to another controller, joint controller or processor outside of the EU. Therefore, there can only be a transfer if at least two different (separate) parties (each of them a controller, joint controller or processor) are involved. If the data exporter and importer are not different controllers/processors – i.e., if the data are processed within the same controller/processor – there is no transfer under the GDPR.
If the transfer criteria are met, the controller or processor “exporting” the data must ensure compliance with Chapter V GDPR by using one of the instruments listed in the GDPR and aimed at protecting personal data after they have been transferred to a third country or an international organization. These instruments include:
- The recognition of the existence of an adequate level of protection in the third country or international organization to which the data are transferred (Article 45 GDPR);
- In the absence of such adequate level of protection, the implementation of one of the appropriate safeguards as provided for in Article 46 GDPR; or
- In the absence of an adequacy decision (Article 45) or an appropriate safeguard per Article 46, one of the derogations in Article 49 GDPR.
The EDPB found it important to highlight in its draft guidance that the content of Article 46-type of safeguards for international transfers needs to be customized depending on the situation. For example, new transfer tools (e.g., SCCs) dealing with the Article 3(2) GDPR scenario – which the European Commission is reportedly in the process of preparing – should not merely duplicate the GDPR obligations that already apply. Instead, they should focus on the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU.
The guidelines adopted on November 18 are now open for public consultation. Stakeholders may provide feedback until January 31, 2022, after which the EDPB is expected to adopt its final guidelines.
Source: EDPB, Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, adopted on November 18, 2021 (version for public consultation) – https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en.