On 19 November 2021, the European Data Protection Board (EDPB) published the much-awaited draft guidance on the interplay between the provisions of the GDPR on territorial scope (in Article 3) and on international data transfers (Chapter V).
The proposed guidance is highly relevant for any organisation engaging providers in third countries or processing personal data of individuals in the EU. It also is expected to address the issue of recital 7 of the decision of the European Commission on the new set of standard contractual clauses (SCCs) that has brought some confusion regarding the applicability of the SCCs.
The draft guidelines will be open for consultation until 31 January 2021.
The draft guidelines suggest that to qualify as a data transfer to third country, a processing operation should comply with the three cumulative criteria. If these criteria are not met, there is no “transfer” and Chapter V of the GDPR does not apply. The EDPB names the following three criteria and provides detailed examples for each criterion:
- a controller or a processor is subject to the GDPR for the given processing. In this regard, the EDPB notes that controllers and processors that are not established in the EU may be still subject to the GDPR under Article 3(2) for a given processing and, thus, will have to comply with Chapter V when transferring personal data to a third country;
- this controller or processor (defined as exporter) “discloses by transmission or otherwise makes personal data, subject to this processing, available” to another controller, joint controller or processor (defined as importer). This explicitly excludes situations where the data subject discloses the data directly and on his/her own initiative to the recipient (such as in cases of buying items online from a non-EEA webshop, although the processing of personal data by the webshop may still fall under the GDPR more generally if they are targeting the EU market or monitoring individuals in the EU on a large scale). The disclosure of personal data is also not a transfer if the sender and the recipient are not different controllers/processors (as for instance is a case where an employee – not being considered a controller - travels to a third country and accesses personal data in his or her company’s EU database via remote access). In relation to a corporate group, the EDPB notes that entities which form part of the same corporate group may qualify as separate controllers or processors, and therefore the transfer situation (and applicability of Chapter V) will apply;
- the importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3. The EDPB emphasizes that the importer should be geographically in a third country (or is an international organisation), regardless of whether the processing at hand falls under the scope of the GDPR.
The EDPB notes that controllers and processors whose processing is subject to the GDPR under Article 3 (including when they have no establishment in the EU) always have to comply with Chapter V of the GDPR when they disclose personal data to a controller or processor in a third country or to an international organisation.
The EDPB also raised concerns about the recent proposals of the European Commission as part of the Digital Services Package and Data Strategy, namely the Data Governance Act (DGA), Digital Services Act (DSA), Digital Markets Act (DMA) and the AI Regulation (AIR). In the EDPB’s view, the proposals do not include sufficient safeguards to the rights and freedoms of individuals, will introduce fragmented supervision over data processing and create risks of inconsistent requirements.