The European Data Protection Board adopted new Guidelines (05/2021) on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR on 18 November 2021.
These Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers. The Guidelines will be subject to public consultation until the end of January 2022.
The guidelines shed light on the dispute over whether it is possible to transfer data to third countries without entering into SCCs if the GDPR already applies to the recipient’s data processing.
By way of introduction, the EDPB states that Art. 44 et seq. GDPR (Chapter V) set out the conditions under which a transfer of personal data to third countries may take place by summarizing that the overriding purpose of the provisions of Chapter V is to ensure that the level of protection of the GDPR is not undermined when personal data are transferred to third countries.
To the extent that data is processed within the EU/EEA, the personal data is secured not only by the GDPR, but also by other EU/member state level regulations that must meet the standards of the GDPR.
However, as far as personal data is transferred outside the EU, the overarching protection of the GDPR no longer applies.
Therefore – according to the EDPB – protection must be provided by other means.
This may be done through the existence of an adequacy decision by the European Commission or appropriate safeguards with Chapter V of the GDPR. If one of the transfer tools of Art. 46 GDPR is used, it must be examined whether further supplementary measures are necessary to ensure the required level of protection.
Recital 7, Sentences 2 and 3, in particular, have sparked a dispute in the data protection world in this respect, as according to this, the new SCCs (Decision – EU 2021/ 914) may only be used if the importer does not fall within the scope of the GDPR.
The EDPB clarifies that Chapter V of the GDPR also applies to situations where the data processing falls under Article 3(2) of the GDPR. In this respect, the provisions of Chapter V are intended to compensate for the risks and complement the territorial scope when personal data are transferred outside the EU.
Criteria for transfer of personal data to a third country
Since the GDPR does not provide for a definition of the notion „transfer of personal data to a third country, the EDPB has developed 3 criteria that must be cumulatively present:
- A controller or a processor is subject to the GDPR (Art. 3 GDPR) for the given processing;
- This controller or processor („exporter“) discloses by transmission or otherwise makes personal data, subject to the processing, available to another controller, joint controller or processor („importer“);
- The importer is in a third country irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3 GDPR.
The EDPB emphasizes for the first criterion that with reference to Art. 3 GDPR, the certain data processing must be considered in each case rather than with regard to a specific entity (e.g. a company).
The necessity of a case-by-case consideration also exists for the 2nd criterion (transmission from an exporter to an importer), so that a consideration of each data transmission individually and the role of the involved actors is necessary here.
For the second criterion, the EDPB provides some illustrative examples., e.g. in the event that a direct transfer of personal data to a third country takes place on the data subject’s own initiatives (e.g. when ordering goods). For this case, the EDPB clarifies that in this constellation, there is no controller or processor („exporter“) sending or making the data available.
It is further clarified that the importer and exporter must be two different parties. This is not the case, for example, if an employee as part of the controller takes his company laptop to a third country and transmits personal data from there to his employer as controller.
Although in this case, the data transfer does not fall under Chapter V of the GDPR, the EDPB emphasizes that the controller is nevertheless obliged to maintain appropriate technical and organizational measures in accordance with Art. 32 GDPR.
Moreover, if a subsidiary in Europe shares personal data, here as an example HR data, with the parent company in the USA, the subsidiary is subject to the GDPR, Art. 3 (1) GDPR while the transfer to the parent company takes place to a third country (here USA). This is a third country transfer, which falls under Chapter V of the GDPR.
The third criterion is met if the importer is geographically located in a third country, regardless of whether the data processing falls within the scope of the GDPR. The EDPB hereby clarifies that regardless of whether, for example, the scope of application of the GDPR is already opened via Art. 3 (2) GDPR, there is nevertheless a third country transfer and Chapter V of the GDPR is therefore applicable.
What is the conclusion?
As far as the 3 criteria outlined by the EDPB are fulfilled, a third country transfer exists.
In such a transfer situation, the controller or processor must comply with the requirements of Chapter V of the GDPR. Therefore, either an adequacy decision of the Commission according to Art. 45 is available for the respective third country or one of the transfer tools of Art. 46 GDPR has to be used.
The EDPB clarifies that the safeguards must be adapted to the respective situation and gives the example that the safeguards for a transfer by a Processor are different from those that a Controller has to fulfill. The EDPB gives an example, in which lower security measures are needed if a third country controller already falls within the scope of the GDPR for the respective data processing.
Art. 3 (2) GDPR should therefore be given weight insofar as the requirements imposed by the GDPR on data processing should not simply be duplicated
The EDPB clarifies at the end of the guidelines that it encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of SCCs, in cases where the importer is subject to the GDPR for the given processing in accordance with Art. 3 (2) GDPR, as a transfer tool for this situation is currently only available in theory. Rather, the assessment should determine which elements and principles are necessary to fill the gaps that may arise from another national law or from government access to the personal data in the third country.
Last but not least, the EDPB emphasizes that to the extent that there is no third country transfer under the above criteria and Chapter V of the GDPR does not apply, a controller is still responsible for any data processing it controls. This is irrespective of where this takes place. In this respect, third-country transfers may always require measures to prevent or mitigate risks.