When do the GDPR Transfer Rules Apply? The EDPB Provides Insight into the Interplay Between Article 3 and Chapter V of the GDPR
The European Data Protection Board (the “EDPB”) has published guidance that aims to assist controllers and processors in determining whether processing of personal data constitutes a transfer outside the European Economic Area (the “EEA”). The EDPB considers the interaction between the territorial scope of the General Data Protection Regulation (the “GPDR”), and the provisions of the GDPR relating to international transfers, and aims to increase understanding of international transfers of personal data generally.
On 19 November 2021, the EDPB published guidelines for public consultation on the interplay between the application of Article 3 of the GDPR (which sets out its territorial scope) and the provisions on international transfers (which are set out in Chapter V of the GPDR) (the “Guidelines”)1. The Guidelines provide a helpful overview of the provisions in the GDPR that relate to international transfers, and note that the purpose of Chapter V is to “ensure that the level of protection guaranteed by the GDPR is not undermined” and that personal data transferred to a third country or international organisation continues to be protected to an equivalent degree.
What constitutes a transfer?
In light of the fact that the GDPR does not define a ‘transfer’ of personal data to a third country or international organisation (a “Transfer”), the EDPB identified the following criteria that must be satisfied in order for processing to constitute a Transfer:
- The controller or processor must be subject to the GDPR for the particular processing;
- The controller or processor must disclose “by transmission”, or otherwise make available, personal data to another controller, joint controller or processor. These controllers/processors are known as the ‘exporter’ and the ‘importer’ respectively; and
- The ‘importer’ must be situated in a third country or be an international organisation, irrespective of whether or not the relevant entity falls under Article 3 of the GDPR in respect of the particular processing.
The Guidelines set out useful practical examples of how each of the above criteria might be applied in practice, and we have considered some notable points below.
1. Application of the GDPR
The Guidelines note that this criterion requires a controller or processor to consider whether the particular processing is subject to the GDPR by way of Article 3 of the GDPR, and refers controllers and processors to the EDPB’s guidelines on the territorial scope of the GDPR2 to aid them in their analysis. The Guidelines draw attention to the fact that controllers or processors not established in the EU may still be subject to the GDPR under Article 3(2), and as such will have to comply with Chapter V of the GDPR when engaging in a Transfer. This may come as a surprise to organisations that assumed that Chapter V of the GDPR would only apply if the transferor was located within the EEA.
2. Disclosure by transmission
With respect to this criterion, the Guidelines state that a case-by-case analysis of the particular processing and the roles of the relevant entities is required, and referred to additional guidelines to assist with that analysis3. Of note, the Guidelines state the following:
- A Transfer will not exist where personal data is disclosed directly by the data subject to a controller or processor outside the EEA on their own initiative (although the relevant controller may still be subject to the GDPR by virtue of Article 3(2));
- A Transfer may exist where a processor transfers personal data to another processor or to a controller as instructed by its controller;
- In order for a Transfer to exist, the disclosure of personal data must be between two separate entities (although intra-group disclosures of personal data may qualify); and
- Even if a Transfer does not exist, there may still be risks to the processing, such as conflicting laws or government access in the applicable third country. The Guidelines emphasise that a controller is still required to comply with the obligations set out in the GDPR, regardless of where the processing takes place. The Guidelines note that a controller may determine that extensive security measures are required to proceed with the processing of personal data in the third country (even where a Transfer does not exist), or that the processing would not be lawful.
3. Third country or international organisation
In relation to the final criterion, the Guidelines note that a Transfer will exist where the ‘importer’ is located in a third country or is an international organisation. The Guidelines emphasise that a Transfer will exist in these circumstances, regardless of whether the processing falls within the scope of the GDPR.
Where a Transfer exists
If a controller or processor establishes that any particular processing satisfies the above three criteria, the Guidelines note that the controller or processor must comply with the provisions set out in Chapter V of the GDPR, and apply appropriate safeguards in order to continue to protect the personal data (as provided for in Articles 45, 46 and 49 of the GDPR). The Guidelines stress that the appropriate safeguards will vary on a case-by-case basis.
Of particular note, the Guidelines state that “for a transfer of personal data to a controller in a third country less protection/safeguards are needed if such controller is already subject to the GDPR for the given processing”. In this regard, the Guidelines state that if the transfer is already subject to the GDPR by virtue of Article 3(2), the focus should be on addressing areas where additional protection is required, rather than duplicating the obligations under the GDPR. For example, the Guidelines refer to the need to address any conflict of laws and potential legally binding requests for the disclosure of personal data that may arise in the particular third country. Interestingly, the EDPB states that it “encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses” that would address Transfers arising in these circumstances.
Conclusion
The Guidelines provide helpful guidance for controllers and processors in establishing whether a Transfer exists, with useful practical examples, and are open for public consultation until 31 January 2022. Controllers and processors who consider that they may be engaging in a Transfer should consult the above criteria, while keeping an eye out for the final guidelines published following public consultation, and any additional standard contractual clauses that may be developed.
Also contributed by Lisa Leonard.
- Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, adopted on 18 November 2021.
- Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), adopted on 12 November 2019.
- Guidelines 07/2020 on the concepts of controller and processor in the GDPR, adopted on 7 July 2021.
This document has been prepared by McCann FitzGerald LLP for general guidance only and should not be regarded as a substitute for professional advice. Such advice should always be taken before acting on any of the matters discussed.
Select how you would like to share using the options below