On February 24, 2023, following public consultation, the European Data Protection Board (EDPB) published the long-awaited final version of the guidelines on the interplay of article 3 of the GDPR and the provisions on the international transfer of personal data of Chapter V of the GDPR. These guidelines will help controllers and processors, in determining, among others, when the processing of personal data qualifies as an international transfer, which would in turn make them subject to the stringent GDPR rules on international transfer of personal data.
The international transfer of personal data outside the EEA is in principle not allowed under Chapter V of the GDPR, unless the transfer is based on one of the GDPR's approved transfer mechanisms.
Consequently, any organization that processes personal data in a cross-border context will need to first determine whether they are transferring personal data outside the EEA. The GDPR does not define the notion of "data transfer to a third country or international organization", which often leaves organizations puzzled on whether their processing of personal data would be captured or not by the provisions of Chapter V of the GDPR. The updated guidelines of the EDPB provide further clarifications on this point, with illustrations of examples to facilitate understanding.
Accordingly, the processing of personal data will qualify as an international transfer when the following three cumulative criteria are met: (i) a controller or processor is subject to the GDPR for the given processing, (ii) the exporter discloses by transmission or otherwise makes personal data available to another controller, joint controller or processor ("importer") and (iii) the importer is located in a third country, irrespective of whether or not the importer is subject to the GDPR for the given processing in accordance with Article 3 GDPR, or is an international organization.
A controller or processor is subject to the GDPR for the given processing
The application of the GDPR rules on international transfers of data requires that the processing of personal data falls within the territorial scope of the GDPR. First, the GDPR applies to data processing activities that are conducted by organizations (controller or processor) established in the EEA. Secondly, the GDPR extends its territorial reach also to controllers or processors that are not established in the EEA, if the latter offers goods or services to the data subjects in the EU or if they are monitoring the behavior of such data subjects.
The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to the importer
The exporter needs to disclose or otherwise make available personal data to another controller or processer, i.e. the importer. This implies that a transfer of personal data would require two separate entities (each of them a controller, joint controller or processor). Consequently, transferring data within the same controller or processor and direct collection of data from the data subject will not be considered as an international transfer.
Furthermore, the guidelines clarify the notion of "disclose by transmission or otherwise make available" through a number of examples. Accordingly, personal data could be "made available" by creating an account, granting access rights to an existing account, "confirming"/"accepting" an effective request for remote access, embedding a hard drive or submitting a password to a file. This means that remote access from a third country, or even a display of personal data on a screen e.g. in support situations, troubleshooting or for administrative purposes, will be considered a transfer of personal data.
It is also important to highlight that a processor may transfer personal data to a third country. In such case the processor will act as a data exporter on behalf of the controller and must comply with the provisions of Chapter V GDPR, including the adoption of an appropriate transfer tool. For instance, an EU processor that processes non-EU customer data on behalf of a non-EU controller and sends these data back to the non-EU controller, will be subject to the GDPR rules on international transfer.
Finally, entities from the same corporate group may also qualify as separate controllers or processors. Thus, in case of disclosure between entities of the same corporate group, they may be subject to the rules on transfer of personal data.
The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing, or is an international organization.
The importer of data should be located in a third country or should be an international organization., which could be the case when:
- The processor who is established in the EU sends back data to its controller who is located in a third country; or
- When a processor, with no establishment in the EU, can have remote access to data which is located in the EU; or
- When a processor located in the EU, subject to a third country legislation, receives government access requests. If the processor acts on such request, there will be a transfer of data.
Implication of data transfers
If all the criteria are met, organization will need to comply with Chapter V of the GDPR, which requires data exporters, among others to conduct a "transfer impact assessments" (TIA) for each country that is a recipient of the transfer and adopt one of the GDPR approved transfer mechanism.
The TIA is an assessment by a data controller or a data processor of the impact and security implications of a transfer of personal data to a country outside the EEA. Following the EDPB Guidance on Supplementary Measures for data transfers, the Standard Contractual Clauses (SCCs) of June 2021, and the Schrems II decision, TIAs are now mandatory for any organization that transfers personal data outside the EEA.
Once the TIA is conducted, the data exporter will evaluate which transfer tool to adopt. The transfer tools include: (i) an adequacy decision adopted by the European Commission, or in absence of such adequacy decision; (ii) Standard Contractual Clauses (SCC); (iii) Binding Corporate Rules (BCR), (iv) Code of Conduct (CoC); (v) certification mechanism; or (vi) international agreements.
We continue to closely monitor the guidelines of the EDPB to keep you updated on the impact that new guidelines may have on your business.
Originally published 3 March 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.