What is a personal data “transfer”? EDPB publishes guidelines on the interplay between GDPR’s territorial scope and cross-border transfer rules

On 18 November 2021, the European Data Protection Board (EDPB) published draft Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here) (the Guidelines). 

Background

The Guidelines seek to clarify provisions of the GDPR that set out its territorial scope (i.e. Article 3) and provisions concerning transfers of personal data outside the EEA (i.e. Chapter V). There has been tension between these provisions, due to the fact that the GDPR is silent on the meaning of “transfer” for the purposes of Chapter V, while Article 3(2) provides for extra-territorial application of the GDPR to controllers and processors that process personal data of EEA citizens outside the EEA. 

Given the wave of attention on international transfers in the wake of Schrems II (see our earlier reports on the judgment here, the revised standard contractual clauses that followed here and the EDPB recommendations on Schrems II-compliant use of appropriate safeguards for international transfers here), questions had arisen on the need for organisations subject to Article 3(2) of GDPR to comply with the obligations relating to international transfers under Chapter V.

The Guidelines intend to guide EEA-based controllers and processors in identifying whether a processing operation constitutes an international “transfer” by setting down a common understanding of this concept. 

The meaning of a “transfer”

The Guidelines identify three cumulative criteria that qualify a processing activity as a “transfer” within the meaning of Chapter V: 

1. A controller or processor, needs to be subject to the GDPR for the relevant processing activity, i.e. by being within the EEA or by virtue of being subject to Article 3(2). 
   
2. That controller or processor (the exporter) must disclose or otherwise make available the personal data to another controller, a joint controller or a processor (the importer), i.e. the transfer needs to take place between two different parties.
   
3. The importer is located in a country outside of the EEA (or is an international organisation), regardless of whether or not the processing by the importer falls within scope of Article 3 of the GDPR.

If all of the above criteria are met, there will be a transfer to a third country or to an international organisation and the relevant controller or processor must comply with the conditions of Chapter V and ensure a valid transfer tool is in place such as standard contractual clauses. The applicability of Chapter V is therefore based on the importer’s geographic location in a third country rather than whether or not the importer is subject to the GDPR. 

Exceptions to the meaning of transfer

In order to clarify the area further, the Guidelines present important practical examples of what is and is not a transfer:

• Where a data subject in the EEA directly transmits personal data (e.g. through an online form) to a controller or processor located outside the EEA, this does not qualify as a transfer, as there is no involvement of an exporter.
• Where data is accessed remotely by an employee, this will not be a transfer. This is due to the fact that the sender and recipient are the same controller/processor, i.e. an employee is not a separate entity to the exporter. (However, the EDPB warns that the employer remains obliged to ensure security of processing and to implement technical and organisational measures appropriate to risk at all times).
• Entities within the same corporate group may qualify as separate controllers and processors and therefore a transfer occurs. The EDPB provides the example of an Ireland-based subsidiary of a US-parent company, where the US entity hosts the Irish entity’s employee data on its database. The data is transferred by the Irish subsidiary in its capacity as employer (i.e. as a controller) to the parent company (as a processor) and a transfer therefore occurs. 

Implications for ‘exporters’ of personal data

In publishing the Guidelines, the EDPB has underlined that organisations seeking to transfer personal data outside the EEA (irrespective of whether Article 3(2) applies) must ensure the personal data is provided equivalent protection to that which it receives within the EEA (i.e. Chapter V of the GDPR applies). 

This approach acknowledges that, even where the GDPR applies to a transfer by virtue of Article 3(2), there may still be gaps in the GDPR-level protection, due to conflicting national laws and government access in the third country, as well as difficulty in enforcing and obtaining redress against an entity outside the EEA. 

The EDPB recommends that the content of the transfer tools (such as standard contractual clauses or ad hoc contractual clauses) described in Article 46 of Chapter V of the GDPR should be customised for the specific situation and include only those GDPR obligations that are missing or impinged as a result of the transfer to third country.

Next steps?

• The Guidelines are currently subject to public consultation, which runs until 31 January 2022.
  
• The EDPB acknowledges in the Guidelines that transfer tools (such as further standard contractual clauses or ad hoc contractual clauses) under Chapter V that it proposes are currently only available in theory. Therefore, it remains to be seen whether a further set of standard contractual clauses will be adopted by the European Commission. 

Our Data Protection Team will continue to keep you updated on compliance with international transfer rules and other compliance matters under the GDPR. We are available to assist you with identifying and putting in place appropriate transfer mechanisms, including conducting transfer risk assessments and implementing supplementary measures. For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey or any member of the ByrneWallace LLP Data Protection/GDPR Team.