On 19 November, the European Data Protection Board (‘EDPB‘) published, its draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Guidelines”). The Guidelines aim to clarify the interplay between Article 3 and the provisions of the GDPR on international transfers in Chapter V, in order to assist controllers and processors in the EU in identifying whether a processing activity constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR. To assist with this, the Guidelines provide a set of criteria that qualify a processing as a transfer, alongside examples of specific processing.

Background

The GDPR regulates the transfer of EU personal data outside of the EEA, requiring a valid transfer mechanism under Chapter V GDPR to be in place. Such mechanisms include adequacy decisions of the European Commission and appropriate safeguards (such as Standard Contractual Clauses, Binding Corporate Rules etc.).

These draft Guidelines follow a spate of activity in recent years in relation to transfers of personal data, following the Schrems II decision of the Court of Justice of the European Union and the publication earlier this year of the EDPB Recommendations on Supplementary Measures and the European Commission’s Standard Contractual Clauses for the transfer of personal data to third countries.

Key takeaways

  • The Guidelines set out three cumulative criteria that qualify a processing as a transfer:
    • A controller or a processor is subject to the GDPR for the given processing
      • This criterion requires that the relevant processing meets the requirements of Article 3 GDPR, i.e. that a controller or processor is subject to the GDPR for the given processing. The Guidelines emphasise that controllers and processors which are not established in the EU may still be subject to the GDPR given the extra-territorial effect of Article 3(2) GDPR, and therefore will also have to comply with Chapter V GDPR when transferring personal data to a third country or to an international organisation.
    • This controller or processor (i.e. the exporter) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (i.e. the data importer)
      • The Guidelines confirm that this second criterion will not be fulfilled where the data are disclosed directly by the data subject to the non-EU recipient, as there is no controller or processor sending or making the data available, and therefore Chapter V does not apply. However, the recipient will still need to assess whether its processing operations are subject to the GDPR pursuant to Article 3(2), and therefore whether any onward transfer by the recipient is subject to Chapter V of the GDPR.
      • This should be distinguished from the situation where the data subject is providing personal data directly to an EU established company/branch, which is then transferred to a non-EU entity in a third country. This will amount to transfer under Chapter V of the GDPR.
      • In addition, where a processor in the EU sends data (including data relating to non-EU data subjects), back to its controller in a third country, the Guidelines confirm that since the controller is in a third country, the ‘reverse’ disclosure of data from the EU processor back to the controller is regarded as a transfer of personal data and therefore Chapter V applies.
      • The Guidelines also confirm that in order to qualify as a transfer, there must be a controller or processor disclosing the data (the exporter) and a different controller or processor receiving or being given access to the data (the importer) – if the sender and the recipient are not different controllers/processors, the disclosure of personal data should not be regarded as a transfer under Chapter V of the GDPR since data is processed within the same controller/processor.
      • The Guidelines contain a helpful example – an employee of an EU established company travelling overseas and remotely accessing and processing personal data on the company databases will not constitute a transfer, given an employee is an integral part of the controller company and the disclosure is therefore carried out within the same controller. However, the Guidelines are clear that even though no transfer is taking place in this scenario, such processing can still be associated with risks, e.g. due to conflicting national laws or government access in a third country, and therefore the controller company must still ensure compliance with GDPR, including that technical and organisational measures are in place which consider the risks with respect to the processing activities, in accordance with Article 32 of the GDPR.
      • The Guidelines confirm that entities which form part of the same corporate group may qualify as separate controllers or processors. Therefore intra-group data disclosures may constitute transfers of personal data.
    • The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
      • This third criterion requires that the importer is geographically in a third country or is an international organisation, regardless of whether the processing at hand falls under the scope of the GDPR.
      • The Guidelines provide an example where a processor in the EU sends data back to its controller in a third country, including where the EU processor “re-transmits the data” to the non-EU controller. The Guidelines state that even though the non-EU controller may be subject to the GDPR by virtue of Article 3(2) GDPR, as the controller is in a third country, the disclosure of data from the processor to the controller is regarded as a transfer to a third country and therefore Chapter V applies. This appears to move away from the ‘GDPR bubble’ concept suggested in the European Commission’s Standard Contractual Clauses at Recital 7, which state that the SCCs “may be used for such transfers only to the extent that the processing by the importer does not fall within the scope of [GDPR]”.
  • If all of the identified criteria are met, there will be a transfer to a third country or to an international organisation and the relevant controller or processor must comply with the conditions of Chapter V GDPR.
  • Interestingly, the Guidelines state that in relation to a transfer of personal data to a controller in a third country which is already subject to the GDPR for the given processing, less protection/safeguards are needed. When developing relevant transfer tools the Guidelines confirm that “the Article 3(2) situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU”. The Guidelines encourage the development of a transfer tool, such as a new set of SCCs or ad-hoc clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2). The EDPB has indicated that it is willing to cooperate in the development of such a tool, which would come as a welcome transfer mechanism particularly in intragroup transfers where importers are generally already subject to the GDPR by virtue of their establishments in the EU.

What next?

The Guidelines are subject to a public consultation (ending on 31 January 2022) and will be applicable following their publication.

The Guidelines, which are not legally binding, provide some welcome guidance. However, practical implementation of certain aspects of the Guidelines may be a challenge, particularly in relation to applying Chapter V to situations where transfers are re-transmitted.