The European Data Protection Board (EDPB) has provided further guidance on data transfers. Specifically, this most recent guidance clarifies what constitutes a “transfer.” While the concept of a transfer may seem straightforward, the debate for purposes of the GDPR was whether a transfer occurred when data physically left the EU or whether the trigger event was transferring data outside of the jurisdictional scope of the GDPR.
The newly issued guidelines clarify that when data is transferred outside of the EU, then the additional data transfer provisions of Section V of the GDPR must be satisfied. A transfer occurs when the following three criteria are met:
- The controller or process is subject to the GDPR (for that specific processing activity);
- The exporter (controller or processor) makes the personal data available to the importer (controller or processor); and
- The importer is located in a third country or is an international organization, whether or not this entity is subject to the GDPR’s extraterritorial reach.
Section V allows for the transfer of personal data from the EU to another country in limited circumstances, including (1) the receiving country has been deemed to have adequate data protection laws; (2) appropriate safeguards are in place (e.g., Standard Contractual Clauses); (3) a derogation applies to the specific transfer. Further, in the wake of the Schrems II decision, supplemental measures also may be required to ensure the data transfer complies with Section V.
Helpfully, the guidelines also provide examples of what is not a data transfer. Specifically, it is not a data transfer if an entity in a third country is obtaining information directly from an individual in the EU (although if that entity is otherwise targeting goods or services to individuals in the EU, it may be subject to the GDPR). It is also not a data transfer for an employee of a company subject to the GDPR to access company personal data while visiting a third country, such as accessing a company database while on a business trip
Transferring data in compliance with the GDPR and supplemental EDPB guidance can be a complicated process. Our team has helped entities of all sizes from various sectors parse through complicated GDPR issues – including determining whether the GDPR applies to developing compliance programs. If your organization has questions about the GDPR or the potential impact of this new guidance on your business, do not hesitate to reach out.