Data Transfers from the EU – Further Guidance Issued

Wiley Rein LLP

The European Data Protection Board (EDPB) has provided further guidance on data transfers. Specifically, this most recent guidance clarifies what constitutes a “transfer.” While the concept of a transfer may seem straightforward, the debate for purposes of the GDPR was whether a transfer occurred when data physically left the EU or whether the trigger event was transferring data outside of the jurisdictional scope of the GDPR.

The newly issued guidelines clarify that when data is transferred outside of the EU, then the additional data transfer provisions of Section V of the GDPR must be satisfied. A transfer occurs when the following three criteria are met:

  • The controller or process is subject to the GDPR (for that specific processing activity);
  • The exporter (controller or processor) makes the personal data available to the importer (controller or processor); and
  • The importer is located in a third country or is an international organization, whether or not this entity is subject to the GDPR’s extraterritorial reach.

Section V allows for the transfer of personal data from the EU to another country in limited circumstances, including (1) the receiving country has been deemed to have adequate data protection laws; (2) appropriate safeguards are in place (e.g., Standard Contractual Clauses); (3) a derogation applies to the specific transfer. Further, in the wake of the Schrems II decision, supplemental measures also may be required to ensure the data transfer complies with Section V.

Helpfully, the guidelines also provide examples of what is not a data transfer. Specifically, it is not a data transfer if an entity in a third country is obtaining information directly from an individual in the EU (although if that entity is otherwise targeting goods or services to individuals in the EU, it may be subject to the GDPR). It is also not a data transfer for an employee of a company subject to the GDPR to access company personal data while visiting a third country, such as accessing a company database while on a business trip

Transferring data in compliance with the GDPR and supplemental EDPB guidance can be a complicated process. Our team has helped entities of all sizes from various sectors parse through complicated GDPR issues – including determining whether the GDPR applies to developing compliance programs. If your organization has questions about the GDPR or the potential impact of this new guidance on your business, do not hesitate to reach out.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Wiley Rein LLP | Attorney Advertising

Written by:

Wiley Rein LLP

Wiley Rein LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.