European Data Protection Board Guidelines Clarify when Processing is an International Transfer under the GDPR
Although the Guidelines will not be legally binding, they do provide needed guidance regarding the interaction between GDPR art. 3 (addressing territorial scope of the GDPR) and chapter 5 (addressing transfers of personal data to third countries or international organizations).
The version of the Guidelines that is available for public consultation indicate that three criterion must be met for processing to be a ‘transfer’ that is subject to the required international data transfer mechanisms. Guidelines ¶7.
- A controller or processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses or makes available personal data to another controller, joint controller, or processor (“importer”).
- The importer is in a third country or is an international organization, irrespective of whether the importer is subject to the GDPR, in accordance with Article 3, with respect to its processing activities. Guidelines ¶7.
The Guidelines suggest that when these criteria are not met, no GDPR ‘transfer’ occurs. Guidelines ¶7; ¶19. The five most significant takeaways from the Guidelines are:
- No Transfer Obligations if the EU Data Subject, Rather than the Organization, Discloses Personal Data to the Organization Outside of the EU. When an EU data subject directly discloses personal data to an organization in a third country (e.g., when an EU data subject inserts his/her personal data in an online order form on the website of a U.S. company), the second criterion is not met (i.e., because there is no transfer from a controller or processor to another controller, joint controller, or processor), meaning no transfer occurs and no transfer mechanism is required. Guidelines ¶12.
- No Transfer Obligations if One Entity is Both the Exporter and the Importer. To qualify as a transfer, there must be (1) a controller or processor disclosing the personal data (e., the exporter); and (2) a different controller or processor receiving or being given access to the data (i.e., the importer). Thus for example, when the employee of a company based in the EU travels to a country outside of the EU and remotely accesses personal data on his company’s databases in order to perform work, the second criterion is not met because the exporter and the importer are one and the same. Guidelines ¶14.
- Data Transfer Mechanisms Required If Transfers are Between Two, Separate Corporate Entities in the Same Corporate Group. The Guidelines confirm that a transfer mechanism is required for a transfer from one entity in a corporate group to another entity in the same group. Guidelines ¶16.
- Tailored Data Transfer Mechanisms Required Even if the Importer is Subject to the GDPR. Although the EDPB acknowledged the inherent duplication in GDPR requirements when Article 3 and Chapter V are applied concurrently, it concluded that tailored transfer mechanisms are needed when personal data is transferred outside of the EU even if the foreign entities to which the data is transferred are subject to the GDPR. The EDPB’s rationale is that such additional safeguards are needed to prevent foreign legislation from undermining protections provided by the GDPR and the EU legal framework. The EDPB acknowledged its guidance created new complexity by requiring another transfer tool. “[W]hen developing relevant transfer tools (which are currently only available in theory), i.e., standard contractual clauses or ad hoc contractual clauses, the Article 3(2) situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements and principles that are ‘missing’ and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the E.U.” Guidelines ¶23. The EDPB highlights one current transfer challenge, which is that updated standard contractual clauses are not designed for transfers to importers in third countries that are subject to the GDPR under article 3(2). See Recital 7 of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses. In a recent live conversation regarding these guidelines, the EDPB Secretariat Head Isabelle Vereecken warned against using an existing transfer tools because “there is a risk it won’t fit or be accepted. This risk embedded here needs not to be disregarded.” Live Conversation at 35:54. The problem is, of course, that there is no current alternative. The EDPB has noted that it “stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).” Guidelines ¶23. The problem is that there is no current alternative. The EDPB has noted that it “stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).” Guidelines ¶23.
- GDPR Compliance, including Compliance with Security Safeguards and DPIA Obligations, Required for International Data Flows that are Not “Transfers.” The EDPB clarifies that even data flows that are not ‘transfers’ are subject to the GDPRs’ security and data protection impact assessment obligations. Guidelines ¶17. GDPR compliance, including compliance with respect to GDPR provisions governing controller obligations (Article 24), security of processing (Article 32), data breach notification (Article 33), data protection impact assessments (Article 35) and transfers or disclosures not authorized by EU law (Article 48), is required. Guidelines ¶17.The EDPB’s public consultation on these new Guidelines will close on January 31st. The UK is conducting a similar public consultation. ICO Public Consultation on International Transfers (comment period for this consultation has closed).
Fey, LLC will continue to monitor developments in European data privacy law. To ensure you do not miss any articles or alerts we prepare on data protection laws and developments, you can follow our LinkedIn page here.
Eleazar Rundus contributed to this Post