EDPB Explains Concept of International Transfers under GDPR and Discusses Interplay with Territorial
On 19 November 2021, the European Data Protection Board (the EDPB) published Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the General Data Protection Regulation (the GDPR) (the Guidelines) for public consultation. The Guidelines are intended to clarify which international transfers of data fall within the scope of Chapter V of the GDPR and therefore require safeguards or other measures to ensure protection of the personal data that are being transferred. In addition, the EDPB calls on the European Commission to adopt a new set of Standard Contractual Clauses for cases where the importer established in a third country is already subject to the GDPR on the basis of the application of GDPR to non-EU based organisations under Article 3(2) of the GDPR.
First, the Guidelines set out when a processing constitutes a “transfer of personal data to a third country or to an international organisation” (a Transfer) which triggers the application of the provisions of Chapter V of the GDPR. The Guidelines provide three cumulative criteria that, when satisfied, means a processing qualifies as a Transfer: thus, data must be sent or made available: (i) by a controller or a processor (i.e., an exporter), which, regarding the given processing, is subject to the GDPR pursuant to Article 3 (i.e., the territorial application of GDPR); (ii) to a different controller, joint controller or processor (i.e., an importer); (iii) which is in a third country, regardless of whether or not this importer is subject to the GDPR in respect of the given processing. The Guidelines further describe each criterion, providing some practical examples.
Moreover, the Guidelines stress that Chapter V of the GDPR also applies to transfers or disclosures of personal data carried out by controllers or processors which are not established in the European Union (EU) but are subject to the GDPR pursuant to Article 3(2) because they: (a) offer goods or services to data subjects in the EU; or (b) monitor the behaviour of data subjects in the EU, to another controller or processor.
By contrast, if the three cumulative criteria identified by the Guidelines are not met, there is no Transfer and Chapter V of the GDPR does not apply. For instance, the Guidelines explain that a situation whereby a controller in a third country collects data directly from data subjects in the EU does not constitute a Transfer. However, in such a case, the EDPB makes it clear that the controller or processor which is subject to the GDPR under Article 3 is still accountable for all processing that it controls, regardless of where such processing takes places, and that the risks of data processing in third countries must still be managed in order to comply with the GDPR.
Second, the Guidelines outline that where all the above criteria are met, the processing will be considered to be a Transfer and the exporter must comply with the conditions laid down in Chapter V of the GDPR. This means that the controller or processor must use the instruments that aim to protect personal data after they have been transferred to a third country or to an international organisation. These instruments include:
- the existence of an adequate level of protection in the third country or international organisation, pursuant to Article 45 of the GDPR or, in the absence of such adequate level of protection;
- the implementation by the exporter of appropriate safeguards, pursuant to Article 46 of the GDPR (i.e., standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses, international or administrative agreements); or
- derogations under Article 49 of the GDPR.
In that regard, the Guidelines explain that the content of these safeguards must be customised based on each situation. When controllers and processors develop relevant transfer tools, such as Standard Contractual Clauses, they must take account of Article 3(2) so as not to duplicate the GDPR obligations, but rather to address what is missing and hence, fill the gaps. For example, such tools must address the measures to be taken in cases of a conflict of laws between third country legislation and the GDPR.
In line with this approach, the EDPB encourages the development of a transfer tool for those cases where the importer is subject to the GDPR for a given processing pursuant to Article 3(2).
The Guidelines can be consulted here and are subject to public consultation until the end of January 2022.