The European Data Protection Board (EDPB), the body which represents EU data protection authorities, has adopted guidelines (Guidelines) confirming when transfers need to be “safeguarded” in accordance with the GDPR (and importantly when they do not). In particular:
In light of the Guidance, non-EU companies using EU-based vendors may be required by those vendors to include processor-to-controller standard contractual clauses within their services agreement, i.e., applying to the return transfer of data from the EU vendor back to the non-EU customer. Although this will not mean that the GDPR will be directly applicable to the non-EU entity simply because they are using an EU-based vendor, it does mean that certain obligations set out in the SCCs will apply, e.g., security of processing (Clause 8.2), documentation and compliance (Clause 8.3), complaints procedures (Clause 11), notification of public authority access requests (Clause 15.1), etc. Non-EU customers could also be liable for an EU-based vendor’s breach of the SCCs under Clause 12. This is perhaps a surprising result and could potentially discourage non-EU organizations from engaging EU-based vendors for services which involve the processing of personal data. Non-EU entities should closely review any SCCs provided by EU vendors to ensure they are comfortable with the requirements set out therein.
The Guidelines also highlight a gap in the current safeguards available to parties seeking to safeguard their data transfers. As set out above, where an EU-based processor sends personal data to a non-EU controller this will constitute an international transfer and a safeguard must be implemented. The “go-to” safeguard for most transfers would typically be the SCCs. However, Recital 7 of the EU Commission’s decision implementing the new SCCs clearly states that the SCCs may be used “only to the extent that the processing by the importer does not fall within the scope of [the GDPR].” When read in conjunction with the Guidelines, the result is clear—transfers to a party established in a third country but subject to the extraterritorial scope of the GDPR are international transfers that must be safeguarded but cannot be covered by the existing SCCs. This undesirable conflict is borne out of a difference of opinion between the European Commission (who were of the view that no appropriate safeguard was required when transferring personal data to a party otherwise subject to the GDPR) and the EDPB (who consider a safeguard to still be required). Hopefully, this gap should soon be addressed. The European Commission confirmed in the minutes of its September 14 meeting with the EDPB that it would develop a supplemental set of SCCs to cover these scenarios. Unfortunately, the EDPB has not taken this opportunity to advise organizations what they can do until this supplemental set is released.