Last week, the European Data Protection Board (the EDPB to you and me) released draft guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. Importantly, the guidelines set out when a “transfer of personal data to a third country or international organisation” takes place for the purposes of Chapter V. This phrase isn't further defined by the GDPR, which has led to recent uncertainty as to when the new SCCs are actually required. If you'll recall, the recitals of the new SCCs stated that they were not suitable for transfers to an importer already subject to the GDPR - this led to a particular school of thought that perhaps for transfers from an exporter to an importer where both parties were subject to the GDPR, this did not amount to a 'transfer' under Chapter V - the guidelines now confirm this thinking is incorrect.
The EDPB confirmed that for a 'transfer' to take place, each of the following must be true:
- The transferring controller or a processor (the exporter) is subject to the GDPR (although of course this doesn't necessarily mean they are in the EU).
- The exporting controller or processor then transfers personal data to a different controller/processor (the importer).
- The importer is in a third country/international organisation and it is irrelevant whether or not they are subject to GDPR.
The above conditions very clearly state the extent to which we can consider the disclosure of personal data a 'transfer' for the purposes of Chapter V, and importantly, clarify that transfers between parties subject to the GDPR but not based in the EU are still 'transfers'.
What is a transfer vs. what is not a transfer
A few different specific scenarios are covered by the guidelines, including:
- where personal data is disclosed directly by a data subject to the controller - not a transfer
- transfers between the same party (e.g. single legal entities) in different countries - not a transfer
- EU based employee of EU company accesses company personal data in third country - not a transfer
- processor in EU sends data back to controller outside of EU who is not subject to GDPR - transfer
- processor in EU sends data to sub-processor outside of EU who is not subject to GDPR - transfer
Regardless of whether a 'transfer' takes place or not, the guidelines makes clear that this does not remove all risk and it should be borne in mind that controllers and processors are nevertheless obliged to implement technical and organisational measures, considering the risks with respect to their processing activities, in accordance with Article 32 of the GDPR, so it may be that case that even if a ‘transfer’ is not taking place, the controller or processor may conclude that extensive security measures are needed to conduct a specific processing operation in a third country.
So, we've concluded that when sending personal data to a third country importer subject to the GDPR, this still constitutes a 'transfer', so Chapter V applies and additional safeguards are required (e.g. SCCs). Simultaneously, we also know that the new EU SCCs cannot be used where the importer is subject to the GDPR... so what do we do?! The guidelines acknowledges that transfer tools for this situation are "only available in theory"... but if they were to exist, they should bear in mind that the importer is already subject to the GDPR by virtue of its extraterritorial provisions, and ensure that such obligations are not duplicated contractually, therefore only filling any gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU. This means that regardless of the transfer, Schrems II transfer requirements should be covered off. As you may have read, last month rumours started circulating of a new set of SCCs which will exactly match these requirements, but we won't hold our breath!
So what's next?
In theory, the concept of two separate sets of SCCs works - a 'light' set for those importers already subject to the GDPR, and a 'heavy' set for those importers not subject to the GDPR, to essentially bolt on the legal requirements of the GDPR contractually. However, this contractual nexus relies upon both the exporter and importer performing their own assessment of whether the importer is subject to the GDPR by virtue of Article 3(2), agreeing on this and then papering accordingly. In practice this just means another step to add to the vendor onboarding process, as well as additional costs in carrying out such an analysis. Parties hedging their bets may just choose to enter into the current ‘heavy’ EU SCCs rather than any new ‘light’ EU SCCs, given that they will be more restrictive, and to avoid the situation where they enter into the ‘light’ SCCs and the facts suggest the importer is not actually subject to the GDPR, creating a compliance gap.
Can I have my say?
Yes! The EDPB are consulting on the new guidelines until 31 January 2022. Click here to get involved.
The Guidelines specify three cumulative criteria that qualify a processing as a transfer: (1) the data exporter (a controller or processor) is subject to the GDPR for the given processing; (2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); (3) the data importer is in a third country or is an international organisation.