On November 19, 2021, the European Data Protection Board (EDPB) released its draft guidelines on the interplay between Article 3 and Chapter V of the GDPR (the Guidelines) for public comment. The aim of the Guidelines is to clarify the interaction between the application of the GDPR’s territorial scope and its provisions relating to transfers of personal data to third countries or international organizations.

The Guidelines have been drafted in to assist controllers and processors in the EU identify whether their data processing activities constitute a transfer to a third country or international organization and subsequently whether supplementary measures are required for the transfer to take place lawfully.

Read the blog: EDPB Final Recommendations: The 6 Step Roadmap (Part 1 of 3)

What is a data transfer to a third country?

The GDPR does not include an explicit definition of a transfer of personal data to a third country or to an international organization. However, in its Guidelines the EDPB sets out the three following cumulative criteria that need to be met to qualify relevant processing activities as a data transfer:

1. A controller or a processor is subject to the GDPR for the given processing
2. This controller or processor (exporter) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (importer)
3. The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3

Processing scenarios to clarify the EDPB’s criteria

The EDPB provides further guidance on all three of their criteria for data transfers and include specific examples of processing situations. Under the second criteria of the Guidelines, the EDPB outlines six examples to clarify their position on these specific processing scenarios and the applicability of Chapter V of the GDPR.

The six examples of processing scenarios in the EDPB Guidelines are:

1. Controller in a third country collects data directly from a data subject in the EU
2. Controller in the EU sends data to a processor in a third country
3. Processor in the EU sends data back to its controller in a third country
4. Processor in the EU sends data to a sub-processor in a third country
5. Employee of a controller in the EU travels to a third country on a business trip
6. A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country

Examples where processing does not constitute a data transfer

The EDPB Guidelines include two examples whereby the second criterion is not fulfilled, and the processing scenario should be seen as a data transfer to a third country or international organization. These can be seen in Examples 1 and 5 and relate to the direct collection of data from the data subject and remote access to personal data.

Example 1 highlights that the collection or personal data directly from an individual in EU by a controller outside of the EU does not constitute a data transfer.

Example 1: Controller in a third country collects data directly from a data subject in the EU Maria, living in Italy, inserts her personal data by filling a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a company established in Singapore with no presence in the EU. In this case, the data subject (Maria) passes her personal data to the Singaporean company, but this does not constitute a transfer of personal data since the data are not passed by an exporter (controller or processor), since they are passed directly and on her own initiative by the data subject herself. Thus, Chapter V does not apply to this case. Nevertheless, the Singaporean company will need to check whether its processing operations are subject to the GDPR pursuant to Article 3(2).12.

Example 5 highlights that remote access of personal data by an employee of a data controller does not constitute a data transfer as there needs to be two parties involved and, in this example, the data is processed within the same controller/processor.

Example 5: Employee of a controller in the EU travels to a third country on a business trip George, employee of A, a company based in Poland, travels to India for a meeting. During his stay in India, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e., a controller established in the Union subject to Article 3(1) of the GDPR.

Conclusion

The Guidelines state that if all the criteria are met, there is a “transfer to a third country or to an international organization” and the controller or processor will need to comply with the provisions of Chapter V. This would mean that the controller or processor would need to implement the appropriate instruments to ensure that the personal data is protected in line with the GDPR.

These instruments include European Commission Adequacy Decisions or transfer tools listed in Article 46:

• Standard Contractual Clauses (SCCs)
• Binding Corporate Rules (BCRs)
• Codes of conduct
• Certification mechanisms
• Ad hoc contractual clauses
• International agreements/Administrative arrangements

Comments on Guidelines should be sent to the EDPB by  January 31, 2022 at the latest via this form.

Follow OneTrust on LinkedIn, Twitter, or YouTube for the latest on the EDPB’s guidelines.