The EDPB Issues Guidelines Clarifying What Constitutes an International Data Transfer Under the GDPR
On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.
The Guidelines set forth three criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR:
The exporting controller or processor is subject to the GDPR for the given processing activity.
The exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller or a processor). The Guidance clarifies that the collection of data directly from data subjects in the EU does not constitute an international data transfer, as there is no controller or processor sending or making the data available. This second criterion also implies that two separate parties must be involved in the transfer (e.g., there is no transfer where personal data travels outside of the EU with an employee of an EU controller on a business trip). The EDPB does, however, emphasize that entities of one corporate group may qualify as separate controllers or processors under the GDPR.
The data importer is in a third country (or is an international organization), irrespective of whether the data importer or its processing activities are subject to the GDPR. For example, where an EU processor sends personal data back to a controller that is not established in the EU but that falls within the scope of the GDPR because it offers goods and services to the EU market, the Guidelines confirm that this data flow constitutes an international data transfer, even if both parties fall under the scope of the GDPR.
Where the three criteria listed above are met, the data flow is considered an international data transfer under the GDPR, and the obligations of Chapter V of the GDPR will apply. Notably, the parties will need to ensure that an appropriate level of protection is guaranteed in the receiving country (e.g., through Standard Contractual Clauses, Binding Corporate Rules, codes of conduct, certification mechanisms, ad-hoc contractual clauses, or where one of the derogations set forth under Article 49 of the GDPR applies).
The Guidelines further clarify that the safeguards implemented to accommodate the international data transfer must be tailored to the specific transfer at issue. The EDPB, for example, indicates that the transfer of personal data to a controller in a third country that is subject to the GDPR will generally require fewer safeguards. In such case, rather than duplicate the GDPR’s obligations, the transfer tool used should address the elements and principles that are specific to the importing jurisdiction, particularly with respect to conflicting national laws, government access requests in the receiving third country and the difficulty for data subjects to obtain redress against an entity in the receiving third country.
The EDPB has offered its assistance and cooperation in developing a transfer tool, such as a new set of Standard Contractual Clauses, to cover situations where the data importer is subject to the GDPR for the given data flow and related processing.
The EDPB welcomes comments on the draft Guidelines by January 31, 2022 (the public consultation is available here).