EDPB Publishes Guidelines on the Interplay Between Territorial Scope and International Transfer under the GDPR
23 November 2021
Technology & eCommerce Regulation in the Spotlight
In the aftermath of Schrems II and the publication of the new Standard Contractual Clauses by the European Commission, the European Data Protection Board (“EDPB“) has published its guidelines on the interplay between the territorial scope of the General Data Protection Regulation (“GDPR“) and the provisions governing transfer of personal data outside the European Union (” the Guidelines“). The aim of the Guidelines is to assist controllers and processors identifying whether a processing constitutes a “transfer” of personal data to a third country or an international organization, which requires compliance with the specific provisions of Chapter V of the GDPR.
According to the EDPB, three cumulative criteria need to be met for a processing should qualify as a transfer:
1. A Controller or Processor is subject to the GDPR – The first criterion requires that the processing activity by the controller or processor, who exports the data, will be subject to the GDPR, pursuant to Article 3 of the GDPR. The EDPB emphasizes that a transfer could occur regardless of the role and place of establishment of the data exporter, i.e. a transfer can occur even if personal data is transferred by a processor established outside the European Union, as long as the processing is subject to the GDPR (e.g., based on the exterritorial applicability under Article 3).
2. The data exporter disclosed or makes personal data available to another controller or processor – This requirement is fulfilled only when the processor or controller (who is the data exporter) discloses, or makes available, personal data to another controller or processor (data importer). As such, any disclosure of personal data directly by a data subject, and on his own initiative, to a controller or processor outside the European Union shall not be subject to Chapter V of the GDPR.
The second criterion also implies that Chapter V shall only apply to disclosure of personal data between two different entities. Meaning, that any disclosure or sharing of personal data between an exporter and an importer within the same controller/processor, shall not be classified as an international transfer for the purpose of Chapter V of the GDPR (unless the transfer is between two different legal entities in the same group).
Interestingly, according to the EDPB, Chapter V shall also be applicable in a scenario where an EU-based processor re-transmits personal data, relating to non-EU data subjects, to a controller which is located outside the European Union, although such data was not subject to the GDPR at the time of collection, since the processor is subject to the GDPR on the basis of Article 3(1).
3. The data importer is in a third country or is an international organization – The third criterion requires that the data importer will be geographically in a third country outside the European Union or will be an international organization. The question of whether the processing of personal data by the data importer is subject to the GDPR is of no relevance for this criterion to apply.
If all three criteria identified above are met, there is a transfer of personal data outside of the EU, and the exporter must comply with the conditions of Chapter V for the transfer of personal data, implementing appropriate safeguard to ensure adequate level of protection as provided for in Article 46 of the GDPR.
The EDPB emphasizes that there are no one-size-fits-all solutions, and that the safeguards should be customized depending on the situation. Factors that need to be taken into consideration include, but are not limited to, the role of the data exporter (i.e., is it the controller or the processor), the third country to which that personal data is transferred, the sensitivity and scope of transfer, etc.
In its conclusion, the EDPB addresses the question of the applicability of the existing Standard Contractual Clauses to transfers of personal data to controllers/processors which are subject to the GDPR on the basis of Article 3(2). According to the EDPB, the existing Standard Contractual Clauses, that were recently published by the European Commission, create a duplication of the GDPR obligations and are not applicable to transfers of personal data to data importers which are already subject to the GDPR.
Ultimately, the EDPB points out that although a certain flow of personal data may not constitute a transfer under Chapter V of the GDPR (e.g., transmission of personal data within the same controller), it may still be associated with risks for which additional safeguards must be envisaged on the basis of Article 32 of the GDPR.
Please feel free to contact us if you have any questions regarding the implications of these Guidelines on your data sharing practices.
Ariel Yosefi, Partner
Head of Technology & eCommerce Regulation