It is well known that the EU GDPR (specifically, Chapter V) restricts transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EEA) or to an international organisation. But what is meant by a “transfer”? And how does this apply where the extra-territorial reach of the EU GDPR (as defined in Article 3) means an organisation outside the EEA is required to comply with the EU GDPR, including Chapter V, while the personal data may already be outside the EU’s territory?
On 19 November 2021, the European Data Protection Board (“EDPB”) published draft Guidelines 05/2021 on the Interplay between the application of Article 3 and Chapter V of the GDPR. The EDPB identified three criteria which must all be satisfied in order for a “transfer” to occur:
1. A controller or processor is subject to the EU GDPR for the given processing.
First and foremost the exporting organisation must be subject to the EU GDPR for the relevant processing. Under Article 3(2), this therefore includes organisations not established in the EU which are subject to the EU GDPR under the “targeting” of goods/services or “monitoring of behaviour” grounds. A transfer could therefore take place between two “third country” based organisations (e.g. a controller in the USA and a processor based in the USA or Brazil).
2. This controller or processor (“exporter”) discloses by transmission, or otherwise makes personal data, subject to this processing, available, to another controller, joint controller or processor (“importer”).
The draft guidance offers a number of interesting insights on this aspect:
- Online Consumers: There will be no transfer where personal data are disclosed directly and on the initiative of a data subject in the EU to a controller or processor located in a third country, for instance through a customer in Italy entering personal data into the online form of a retailer established in Singapore which has no EU presence. If this remains in the final guidance, it will be welcomed by online retailers.
- Separate Entities: There will only be a transfer where personal data is shared between two separate controllers and/or processors; data disclosures between entities in the same corporate group may therefore constitute transfers.
- International Business Trips: Where personal data are accessed remotely from a third country, this will not be a transfer where the data is accessed by an employee (on the basis that such an employee is an “integral part of the controller” and not a separate importing entity). For instance, an employee accessing personal data via their employer’s computer systems during a work trip to India will not constitute a “transfer” under Chapter V. Organisations will still need to apply appropriate technical and organisational measures to the data (Article 32, EU GDPR) and might conclude that employees cannot bring their laptops to certain countries, based on a security risk assessment.
3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the EU GDPR in respect of the given processing in accordance with Article 3.
The draft guidance states that while the importer needs to be in a third country (or an international organisation), it doesn’t matter whether the importer is subject to the EU GDPR or not when it comes to deciding whether a transfer is occurring.
- Sending data “home”: the draft guidance gives two examples where EU processors are sending personal data “back” to controller organisations in a third country. In one example the importer is subject to the EU GDPR (offering goods and services to individuals in the EU) and in the other the importer is not. Chapter V will apply to both situations although the guidance hints that the safeguards expected may well be different.
In our next FAQ, we will look at what consequences and expectations may flow from these different types of “transfer” in terms of safeguards, and the current thinking on whether the European Commission’s new June 2021 standard contractual clauses (“SCCs”) can be used where the importer is subject to the EU GDPR.
The EDPB’s draft guidelines are the subject of a public consultation which is scheduled to end on 31 January 2022.