New GDPR Guidelines on Data Transfers
Claude-Étienne Armingaud, Camille Scarparo and Bastien Pujol
On 19 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines on the interplay between Article 3 GDPR (territorial scope) and Chapter V GDPR (transfer of personal data to third countries or international organization) of the General Data Protection Regulation (“GDPR”).
Those draft Guidelines aim at clarifying the mechanism of international transfers and more specifically provide a necessary assistance to controllers and processors in the European Union (“EU”) or otherwise subject to GDPR, including guidance on when a data importer would be subject to GDPR and an interpretation of the concept of international transfer.
In order to characterize a processing as a “transfer”, the EDPB relied on the three following cumulative criteria:
- The data exporter (a controller or processor) is subject to the GDPR for the given processing;
- As a reminder, while GDPR generally applies to all entities processing personal data and established in the EU, it can also have an extra territorial reach for certain processing operations consisting in (i) offering products or services to individuals in the EU (e.g. ecommerce and apps) or (ii) monitoring of EU individuals’ behavior taking place in the EU (e.g. cookies and other tracking technologies).
- The data exporter transmits or makes available the personal data to the data importer (another controller, joint-controller or processor); and
- In that regard, the mere remote access to the data would still qualify as a “data transfer” and it remains to be hopefully clarified in the final Guidelines whether the sharing of personal data among joint-controllers (both subject to GDPR from the inception of the processing operations) would in and of itself be considered as a data transfer.
- The data importer is in a third-country or is an international organization.
In addition, a processing that meets these three criteria will be considered a transfer when the importer is established in a third-country and subject to the GDPR following provisions of article 3.2 GDPR. The EDPB considered that when the controller located in a third-country is already subject to GDPR, “less protection/safeguards are needed”. Nevertheless, conflicting national laws, government access in the third-country as well as the difficulty to enforce and obtain redress against an entity outside the EU should be addressed when developing relevant transfer tools.
The EDPB specified that personal data directly collected from the data subjects, at their own initiative, should not to be considered as a transfer.
An online public consultation is opened on the matter until 31 January 2022.