On 18 November 2021, the European Data Protection Board (the “EDPB”) published guidelines on the interplay between article 3 GDPR, on the territorial scope of the GDPR, and Chapter V of the GDPR, on international transfers. The guidelines clarify the concept of international transfers and provide clarification on the necessity of a transfer mechanism through several practical examples.
The extra-territorial applicability of the GDPR and ambiguity relating to international transfers
The GDPR does not only apply to data controllers and processors within the European Economic Area (the “EEA”). Pursuant to article 3(2) of the GDPR, also controllers and processors outside the EEA who process personal data in order to offer goods or services to individuals in the EU/EEA, or for the purpose of monitoring behaviour of data subjects in the EU/EEA, are subject to compliance with the GDPR.
An international data transfer is defined in the GDPR as “any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organization.”
Out of the practical application of these two concepts, questions have arisen on the need for organizations subject to article 3(2) GDPR to comply with the obligations relating to international transfers.
Definition of an international transfer
Following case-law of the Court of Justice of the EU, the EDPB, in its recent Guidelines, defines an international transfer under the GDPR as a transfer meeting three cumulative conditions:
- A controller or a processor, that is subject to the GDPR for the given processing;
- Discloses or makes available personal data to a controller, a joint-controller or a processor; and
- That controller, joint-controller or processor is located in a country outside of the EEA, or is an international organization.
First, the exporter needs to be subject to the GDPR for the given processing activity. This entails that the exporter is either located within the EEA or is located outside of the EEA but subject to article 3(2) GDPR.
More specifically, this means that also controllers or processors established outside the EEA which are already subject to the GDPR pursuant to article 3(2) still need to respect the GDPR obligations in relation to international transfers. Furthermore, when a processor processes personal data on behalf of a non-EEA controller, who is not subject to the GDPR, and sends that personal data back to the controller (even if it does not even concern personal data of EU data subjects), such transfer will be subject to the GDPR as the processor is subject to the GDPR.
Secondly, the exporter needs to disclose the personal data or make the personal data available to a controller, a joint-controller or a processor. This is an important condition to note, as it requires a transfer between two different parties (acting either as controller or as processor). Consequently, personal data which is collected directly from a data subject in the European Union, by a controller outside of the EEA, does not trigger the need for a transfer mechanism. Also important to note is that two organizations within the same group can be two separate identities that trigger a transfer. On the other hand, an employee accessing personal data when traveling abroad does not trigger a transfer, as such an employee is not a processor or controller.
Thirdly, the importer to whom the personal data is transferred must be located in a country outside of the EEA. The EDPB adds that it is not relevant whether this importer is subject to the GDPR for the given processing. Nevertheless, if the importer is in fact subject to the GDPR for the given processing activity (pursuant to article 3(2) GDPR), less protection and safeguards are needed. In order to avoid duplication of the protection mechanisms provided in the GDPR and to address the gaps in protection which would still exist in such situations (as the new SCCs explicitly confirm that they do not apply to such scenario), the EDPB hinted an adjusted, additional set of SCCs may need to be drafted.
What does this mean for non-EEA controllers and processors that are already subject to the GDPR?
A non-EEA controller or processor subject to the GDPR pursuant to article 3(2) GDPR should first of all assess whether there is a transfer of data between two entities. If it is directly collecting data from a data subject, no transfer mechanism is needed, but sufficient organizational and technical measures should nevertheless be put in place to safeguard the protection of the personal data processed.
If there is in fact a transfer, chapter V of the GDPR applies, regardless of whether the non-EEA data importer is already subject to the GDPR. Hence, a transfer mechanism should be put in place.
We remain available to assist with any further question you may have on this topic.