The Guidelines shed light on two key issues that still remained unanswered after the adoption of the predecessor Guidelines on territorial scope of the GDPR: the definition of the notion of “international data transfer” and whether the obligations in relation to international data transfers apply to data importers already subject to the GDPR.
The key points made in the Guidelines are as follows:
- The Guidelines define the concept of “international data transfer”. In order to qualify as a “transfer”, a processing activity needs to meet three cumulative criteria: (1) the exporter (controller or processor) is subject to the GDPR for the given processing; (2) the exporter discloses by transmission, or otherwise makes personal data subject to this processing available to the importer (controller or processor); and (3) the importer is located in a third country or is an international organisation, irrespective of whether or not the importer is subject to the GDPR in respect of the given processing in accordance with article 3 GDPR.
- Exporters subject to the GDPR and located outside of the EU will also have to comply with the obligations in relation to international data transfers when transferring data to a third country or to an international organisation.
- There will not be a transfer when the data are disclosed directly by the data subject to the recipient as there will be no exporter sending or making the data available. Example 1 in the Guidelines describes a scenario where a data subject fills out a form on an online clothing website operated by a company established in Singapore. The EDPB concludes that, whilst the Singaporean company will need to check whether it is subject to the GDPR pursuant to article 3(2), this processing will not amount to an international data transfer as the data is not passed by a data exporter, but directly by the data subject.
- The concept of international data transfer only applies to disclosures of personal data between two different and separate entities. As such, Example 5 makes it clear that the remote access of personal data by an employee (employed by a Polish company) from a third country does not qualify as a transfer since the employee is an integral part of the employer.
- The return of non-EU data to a controller that is not subject to the GDPR by an EU processor would still qualify as an international data transfer. It is in relation to this point where the EDPB’s may be deviating from the rationale of the GDPR (in particular, the final sentence of Article 44 and Recital 101) and the EDPB guidance on the territorial scope of the GDPR, where it can be inferred that the intention of the legislator was not to extend the application of the GDPR (including through Chapter V) to those situations where Article 3 does not envisage such application. Otherwise, it would be absurd that through the operation of Chapter V, the applicability of the GDPR would be artificially extended to cases where the specific provisions dealing with the territorial scope of the GDPR are not otherwise triggered.
- The provisions in Chapter V also apply in situations where the processing carried out by the data importer is already subject to the GDPR by virtue of article 3(2) (the so-called “targeting criterion”). This is to avoid that the protection afforded by the GDPR is undermined by other legislation that the importer falls under. However, the EDPB acknowledges that less protection/safeguards may be needed in this situation in order not to duplicate the GDPR obligations. As such, transfer tools where the importer is subject to the GDPR in accordance with article 3(2) will only need to “fill the gaps” and address the measures to be taken in case of conflict of laws, legally binding requests for disclosures of data or redress mechanisms. The EDPB encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses.
- Certain data flows may not qualify as “international data transfers” but still be associated with risks for which safeguards must be envisaged, for example, extensive security measures under article 32 GDPR.
In conclusion, the overall verdict on the guidelines is that whilst it is a clear and helpful document, there are some questions that remain to be addressed and others which would benefit from some refinement. At this stage, it is positioned as a draft open for consultation until 31 January 2022.
Authored by Nicola Fulford and Paula Garcia.