EDPB Clarifies Position on International Data Transfers

Pursuant to discussions held during its November plenary, the European Data Protection Board (“EDPB”) published for public comment, on 19 November 2021, its Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (“Draft Guidelines”).

Transfers of personal data originating in the European Union (“EU”) to non-EU entities situated in third countries or international organizations that do not afford a GDPR-equivalent level of protection need to be legalized through the implementation of appropriate safeguards in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), such as through the adoption of Standard Contractual Clauses (“SCCs”), Binding Corporate Rules, Codes of conduct, etc. This is to ensure that the level of protection offered by the GDPR is not undermined.

Questions regarding the relationship between Article 3 (territorial scope) and Chapter V arose when Recital 7 of the new SCCs, published in June 2021, suggested that the SCCs are unnecessary where the data importer (controller or processor) is already directly governed by the GDPR by virtue of its broad extra-territorial application under Article 3(2). As a result, there was confusion surrounding whether appropriate safeguards need to be put in place prior to transfers to non-EU controllers and processors located in third countries falling within the GDPR’s applicability need to be in accordance with Chapter V.

In light of the above, the Draft Guidelines provide the following clarifications:

Firstly, the appropriate safeguards in accordance with Chapter V must be implemented even where the processing operation by the data importer falls under Article 3(2). The intention is to compensate for the risk posed by problematic third country legislation on government access that the data importer falls under, since the GDPR no longer applies in such situations.

Secondly, three cumulative criteria need to be met to qualify a processing as a transfer under Chapter V.

(i) The data exporter (controller or a processor) is subject to the GDPR for the given processing.

(ii) The data exporter transmits or otherwise makes personal data available to a data importer (another controller, joint controller or processor).

(iii) The data importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in accordance with Article 3.

Therefore, as long as the processing falls within Article 3(1) and the personal data is transferred to a third country or an international organization, it would constitute an international data transfer under Chapter V. The processing being undertaken by the non-EU data importer is immaterial and need not fall under Article 3(2) i.e., neither does the processing of personal data of data subjects in the EU need to relate to the offering of goods or services, nor to the monitoring of their behaviour as far as their behaviour takes place within the EU.

Example 1: Company X established in Austria, acting as controller, provides personal data of its employees or customers to a company Z established in Chile, which processes these data as processor on behalf of X.

In this case, the disclosure of personal data by Company X, established in the EU, to non-EU processor Company Z would constitute a transfer. Thus, Chapter V of the GDPR applies.

Example 2: The Irish Company A, which is a subsidiary of the U.S. parent Company B, discloses personal data of its employees to Company B to be stored in a centralized HR database by the parent company in the U.S.

In this case, Company A processes the data of its employees in its capacity of employer and hence, as a controller under Article 3. The disclosure from Company A to Company B qualifies as a transfer to a third country and Chapter V of the GDPR applies. This clarifies that data transfers between entities belonging to the same corporate group (intra-group data transfers) will constitute transfers.

Thirdly, collection of personal data by a non-EU controller directly by the data subject is not considered a transfer.

Example 3: Maria, living in Italy, inserts her personal data by filling a form on an online clothing website in order to complete her order and receive the dress she bought online at her residence in Rome. The online clothing website is operated by a company established in Singapore with no presence in the EU.

Since Maria is the data subject and not an exporter (neither a controller nor processor), the passing of personal data to the non-EU Singaporean controller will not constitute a transfer. Thus, Chapter V does not apply to this case.

Fourthly, notwithstanding the above position, the Draft Guidelines acknowledge that lesser data protection safeguards are required where transfers take place to non-EU data importers already subject to the GDPR. They therefore, encourage the development of a new transfer tool for such transfers.

The minutes of the EDPB’s November plenary meeting also reveal that the EU Commission will develop a new set of SCCs following the adoption of the Draft Guidelines. The purpose is to not duplicate the GDPR obligations but rather to fill the gaps relating to conflicting third country national laws on government access as well as the difficulty to enforce and obtain redress against a non-EU entity.

The Draft Guidelines are helpful in providing a common understanding to stakeholders of the concept of international data transfers. As the new set of SCCs intend to prevent duplication of the GDPR obligations, we surmise that it will be less comprehensive and onerous than the existing SCCs and limited to, inter alia, clauses dealing with public authority access requests (Section III of the SCCs), third party beneficiary rights (Clause 3 of the SCCs), governing law and jurisdiction (Clauses 17 and 18 of the SCCs) and redressal mechanisms for data subjects (Clause 11 of the SCCs). The clauses on data protection safeguards are likely to be redrafted with a reiteration of the data importer’s direct obligations under the GDPR pursuant to Article 3(2). We assume that the three annexes appended to the SCCs requiring a detailed description of processing activities are unlikely to change.

The new set of SCCs would expedite the process of conclusion of contracts for data transfers and eliminate redundancy in the existing transfer rules under Chapter V. When published, they will replace the existing SCCs where the controller/processor’s processing is already covered by Article 3(2). Until such publication and further guidance from the EDPB, the SCCs will continue to apply[1].

1. Since 27th September 2021, new contracts concluded by controllers and processors for cross-border data transfers are mandated to incorporate the SCCs. For contracts that were concluded before 27th September 2021, controllers and processors can continue to rely on the earlier SCCs (published in 2010) until 27th December 2022, provided that the processing operations that are the subject matter of the contract remain unchanged.