On the 19 November 2021 the European Data Protection Board (“EDPB”) published draft Guidelines on the interplay between the application of Article 3 and the provisions on international transfers under Chapter V of the GDPR (“draft Guidelines”). The draft Guidelines are open for public consultation until 31 January 2022.
The draft Guidelines set out the EDPB’s criteria for what constitutes a “transfer of personal data to a third country or international organisation”, as this is not defined under the GDPR.
In summary, for there to be such a transfer, all three of the following cumulative criteria must be met:
- A controller or a processor is subject to the GDPR for the relevant processing;
- The controller or processor (“exporter”) discloses “by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”)”; and
- The importer is in a third country or is an international organisation. It does not matter whether or not the importer is directly subject to the GDPR in respect of the given processing under Article 3 of the GDPR.
Controllers and Processors outside of the EU but subject to the GDPR still need to comply with international data transfer provisions under Chapter V of the GDPR
The draft Guidelines confirm that controllers or processors that are not established in the EU/EEA, but are directly subject to the GDPR under Article 3(2), (for example because they offer goods or services to data subjects in the EU or monitor their behaviour in the EU), have to comply with the international data transfer provisions under Chapter V of the GDPR.
The EDPB recognises there is not currently a transfer tool in place to address such transfers, but “encourages and stands ready to cooperate in the development of a transfer tool, such as a new set of standard contractual clauses, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2)”. The EDPB states in the draft Guidelines that when developing these new transfer tools the circumstances should be taken into account to ensure that GDPR obligations are not duplicated. For example, in the draft Guidelines the EDPB states that for transfers of personal data to a controller that is subject to the GDPR, “less protection/safeguards are needed”.
The EDPB states such a new transfer tool should address elements and principles that are “missing” in order to fill gaps regarding conflicting national laws and government access in the third country and difficulties in enforcing and obtaining redress against an entity outside of the EU/EEA. Specifically, the EDPB states the transfer tool should address: (a) measures to be taken if there is a conflict of laws between third country legislation and the GDPR; and (b) third country legally binding requests for disclosure of data.
Therefore, the concerns at the heart of the Schrems II judgment and subsequent EDPB guidelines on supplementary measures are clearly something the EDPB has in mind for any new standard contractual clauses for use when transferring personal data to a controller or processor outside of the EU/EEA subject to the GDPR.
What is (and isn’t) a “transfer”?
The EDPB has clarified in the draft Guidelines that where personal data is disclosed directly by a data subject on their own initiative to the recipient, this is not a transfer of personal data for the purposes of Chapter V of the GDPR.
This is because there is no controller or processor / exporter sending or making the personal data available to an importer outside of the EU/EEA. The EDPB states in the draft Guidelines that the data subject “cannot be considered a controller or processor”, and therefore cannot be considered to be an “exporter”, although a self-employed person could of course be a controller or processor.
The EDPB provides an example of an online e-commerce website where the controller is in Singapore, and the data subject places an order in the EU and completes a form on the company’s website. The EDPB states there is no “transfer” of personal data in that scenario as the personal data is “passed directly” by the data subject on their “own initiative”. This confirmation will no doubt be welcomed by organisations located outside of the EU/EEA that collect personal data directly from data subjects in the EU.
The EDPB also confirms in the draft Guidelines that:
- For there to be a “transfer”, there must be two different (separate) parties – each a controller, joint controller or processor. For example, when an employee of a controller based in the EU travels to a jurisdiction outside of the EU (e.g. India) and remotely accesses personal data from that third country, that is not a transfer because the employee is not another controller, but an employee and therefore an integral part of the controller;
- Where a processor based in the EU/EEA sends personal data back to a controller located outside of the EU/EEA, this is a “transfer” for the purposes of Chapter V of the GDPR; and
- Where a processor based in the EU/EEA sends personal data to sub-processor located outside of the EU/EEA, this is a “transfer” for the purposes of Chapter V of the GDPR.
However, the EDPB also states in the draft Guidelines that although a particular data flow may not constitute a “transfer” to a third country for the purposes of Chapter V of the GDPR, processing of personal data could still involve risks due to conflicting national laws or government access in a third country, as well as difficulties in enforcing and obtaining redress against entities located outside of the EU/EEA.
Therefore, although there may not be a “transfer”, the EDPB is indicating that issues with national laws and practices in a third country still need to be considered and addressed. The EDPB references the obligation in Article 32 of the GDPR regarding technical and organisational measures which must take into account the risks with respect of the processing. In that context, the EDPB states that “a controller may very well conclude that extensive security measures are needed – or even that it would not be lawful – to conduct or proceed with the specific processing operation in a third country although there is no “transfer” situation”.
Therefore, although the clarification provided by the EDPB on scenarios where there is not a “transfer” of personal data may be helpful, it appears this does not remove the need to consider the local laws and practices when personal data is ultimately processed in a third jurisdiction outside of the EU/EEA which is not subject to an adequacy decision.
In addition, although there may not be a “transfer” to a controller outside of the EU/EEA where the personal data is collected directly from a data subject in the EU, it is clear from the draft Guidelines that any subsequent transfer by the controller outside of the EU/EEA to a different controller, joint controller or processor would be subject to Chapter V of the GDPR and appropriate safeguards would need to be in place. This includes to controllers or processors in the same non-EU/EEA jurisdiction or another third country.
The Guidelines specify three cumulative criteria that qualify a processing as a transfer: (1) the data exporter (a controller or processor) is subject to the GDPR for the given processing; (2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); (3) the data importer is in a third country or is an international organisation.
The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR under Art. 3 GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.