Insights & news

EDPB Explains Concept of International Transfers under GDPR and Discusses Interplay with Territorial

  • 25/11/2021
  • Articles

On 19 November 2021, the European Data Protection Board (the EDPB) published Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the General Data Protection Regulation (the GDPR) (the Guidelines) for public consultation. The Guidelines are intended to clarify which international transfers of data fall within the scope of Chapter V of the GDPR and therefore require safeguards or other measures to ensure protection of the personal data that are being transferred. In addition, the EDPB calls on the European Commission to adopt a new set of Standard Contractual Clauses for cases where the importer established in a third country is already subject to the GDPR on the basis of the application of GDPR to non-EU based organisations under Article 3(2) of the GDPR.

First, the Guidelines set out when a processing constitutes a “transfer of personal data to a third country or to an international organisation” (a Transfer) which triggers the application of the provisions of Chapter V of the GDPR. The Guidelines provide three cumulative criteria that, when satisfied, means a processing qualifies as a Transfer: thus, data must be sent or made available: (i) by a controller or a processor (i.e., an exporter), which, regarding the given processing, is subject to the GDPR pursuant to Article 3 (i.e., the territorial application of GDPR); (ii) to a different controller, joint controller or processor (i.e., an importer); (iii) which is in a third country, regardless of whether or not this importer is subject to the GDPR in respect of the given processing. The Guidelines further describe each criterion, providing some practical examples.

Moreover, the Guidelines stress that Chapter V of the GDPR also applies to transfers or disclosures of personal data carried out by controllers or processors which are not established in the European Union (EU) but are subject to the GDPR pursuant to Article 3(2) because they: (a) offer goods or services to data subjects in the EU; or (b) monitor the behaviour of data subjects in the EU, to another controller or processor.

By contrast, if the three cumulative criteria identified by the Guidelines are not met, there is no Transfer and Chapter V of the GDPR does not apply. For instance, the Guidelines explain that a situation whereby a controller in a third country collects data directly from data subjects in the EU does not constitute a Transfer. However, in such a case, the EDPB makes it clear that the controller or processor which is subject to the GDPR under Article 3 is still accountable for all processing that it controls, regardless of where such processing takes places, and that the risks of data processing in third countries must still be managed in order to comply with the GDPR.

Second, the Guidelines outline that where all the above criteria are met, the processing will be considered to be a Transfer and the exporter must comply with the conditions laid down in Chapter V of the GDPR. This means that the controller or processor must use the instruments that aim to protect personal data after they have been transferred to a third country or to an international organisation. These instruments include:

  • the existence of an adequate level of protection in the third country or international organisation, pursuant to Article 45 of the GDPR or, in the absence of such adequate level of protection;
  • the implementation by the exporter of appropriate safeguards, pursuant to Article 46 of the GDPR (i.e., standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses, international or administrative agreements); or
  • derogations under Article 49 of the GDPR.

In that regard, the Guidelines explain that the content of these safeguards must be customised based on each situation. When controllers and processors develop relevant transfer tools, such as Standard Contractual Clauses, they must take account of Article 3(2) so as not to duplicate the GDPR obligations, but rather to address what is missing and hence, fill the gaps. For example, such tools must address the measures to be taken in cases of a conflict of laws between third country legislation and the GDPR.

In line with this approach, the EDPB encourages the development of a transfer tool for those cases where the importer is subject to the GDPR for a given processing pursuant to Article 3(2).

The Guidelines can be consulted here and are subject to public consultation until the end of January 2022.

Key contacts

Related practice areas

Related insights

Sign up for updates
    • 30/11/2021
    • Newsletters

    VBB on Belgian Business Law, Volume 2021, No. 10

    The October 2021 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 26/10/2021
    • Newsletters

    VBB on Belgian Business Law, Volume 2021, No. 9

    The September 2021 issue of our Belgian Business Law newsletter reporting on the latest developments in a range of areas, including competition, data protection, intellectual property and labour law.

    Read more
    • 25/10/2021
    • Articles

    EDPB Opinion on Draft Adequacy Decision for South Korea

    On 27 September 2021, the European Data Protection Board (EDPB) issued a favourable opinion on the European Commission’s draft adequacy decision for the Republic of Korea. The opinion is an important step towards a formal adequacy decision. Once the formal decision has been adopted, personal data can flow freely from the European Economic Area (EEA) to South Korea. This means that further safeguards or authorisations such as binding corporate rules or contractual clauses would no longer be required (see our note on European Union and South Korea Conclude Adequacy Talks). The EDPB’s opinion concludes that the key aspects of South Korea’s data protection framework are essentially equivalent to the European data protection framework. The EDPB’s opinion focused on the general features of the EU General Data Protection Regulation (GDPR) and the local South Korean laws providing access by public authorities to personal data transferred from the EEA for law enforcement and national security purposes. Please click on the link below to read our note on the subject.

    Read more

Subscribe to our updates

Please select the practice areas you are interested in: *