The European Data Protection Board (EDPB) recently adopted Guidelines 05/2021 (the Guidelines) on the interplay between what it means to be outside the European Economic Area (EEA) but directly applicable to the General Data Protection Regulation (GDPR) and what constitutes an international transfer under Chapter V of the GDPR.
The Guidelines set out a ‘cumulative’ definition providing a three-step assessment, and each step of the definition needs to be satisfied before a transfer is deemed to be a transfer of personal data. The guidance seeks to address the questions raised by the European Commission (EC) when it issued the standard contractual clauses (SCCs) earlier this year. The main question is whether personal data processed by a company outside the EEA but subject to the GDPR is a transfer or not.
The Guidelines seek to settle that question that such movements of personal data are not transfers. Instead, the Guidelines state the controllers or processors of such personal data, due to their being subject to the GDPR, must apply Chapter V to the personal data they transfer to a third country as if they were located in the EEA. What can be deemed a ‘geographic’ transfer rather than a legal one separately subject to Chapter V. The Guidelines, however, are open for a consultation period, so the question does not have a definitive answer yet.
GDPR Article 3 and Chapter V
- Article 3 sets out the territorial scope of the GDPR, whether the processing is in the context of an EEA establishment or via the extra-territorial clauses of selling goods and services or monitoring the behaviour of individuals located in the EEA. The substance of the article is that the substance of the processing determines the applicability of the GDPR regardless of who is conducting the processing (controller in the EEA, controller outside the EEA, processor in the EEA or processor outside the EEA).
- Chapter V (Articles 44-50) addresses the requirements for transfers of personal data to third countries or international organisations and, according to Article 44, applies to any ‘transfer of personal data’ undergoing (or that will undergo) processing after transfer to a third country.
The EDPB’s Guidelines
The EDPB’s definition requires a three-step assessment to determine whether personal data will be transferred to the third country:
- Step 1: Is the controller or processor directly subject to the GDPR for the purpose of the given processing? If yes, proceed to Step 2.
- Step 2: Will the controller or processor disclose ‘by transmission’ this same personal data to a separate and independent controller or processor? If yes, proceed to Step 3.
- Step 3: Is the other controller or processor located in a third country? If yes, Bingo! It’s a transfer. Do not pass ‘Go’ until there is an adequate transfer mechanism in place, as required under Chapter V.
By way of reminder, an adequate transfer mechanism will be a country deemed by the EC to provide adequate protection, the appropriate module(s) of the SCCs or binding corporate rules.
The EDPB have provided numerous examples in their very short (seven-page) Guidelines. Despite the length, the Guidelines do still raise a number of questions, such as transfers within a ‘family’ of companies and whether there is a transfer when it is a separate legal person (affiliate, parent, or subsidiary). The Guidelines are now open to public consultation until 31 January 2022.
Still to come is a new set of SCCs to govern transmissions of personal data between entities that are directly subject to the GDPR, and they are expected sometime during the first quarter of 2022. They too will likely be subject to a consultation period, so it may be June 2022 before the Guidelines are finalised and an appropriate set of SCCs are issued. Here’s hoping good things come to those who wait!