If you can remember as far back as December 2021, we published a blog post announcing that the European Data Protection Board (EDPB) published draft guidelines on the interplay between the territorial scope of the GDPR and the international transfer requirements. Following what must have been an extensive consultation, we are pleased to report that those guidelines were finally finalised on 14 February 2023 (here) and, are even more pleased to report that they contain some very useful illustrations to help you make sense of the concept of international data transfers.
What is the ‘interplay’?
The geographical scope of the GDPR is broad, which means that companies outside the EU may be subject to its requirements. One such requirement is the obligation to ensure appropriate safeguards are in place when personal data is transferred outside the EU (the transfer obligation). Since the GDPR’s implementation in May 2018, the big question has been, what exactly is a transfer and does the transfer obligation apply to the initial transfer of personal data to a non-EU-based company that might be caught by the GDPR due to its extra territorial scope?
In relation to the first question, the EDPB’s view is that a transfer must consist of three steps (see previous blog post where we set these out).
In relation to the second question, no, the transfer obligation will not apply to the initial transfer of personal data to a non-EU-based company that might be caught by the GDPR due to the extra territorial scope, so long as it receives the personal data directly from the data subject. However, if that non-EU-based controller or processor discloses the personal data to another non-EU-based controller or processor, this would amount to a transfer and would fall within the transfer obligation, which means appropriate safeguards would need to be implemented.
Other notable takeaways
There are a couple of other big (and welcomed) takeaways:
1. If employees of an EU-based controller or processor, access personal data held by the controller or processor whilst located outside the EU, this will not be a transfer and the transfer obligation will not apply.
2. If a non-EU based company, which does not fall within the territorial scope of the GDPR, obtains personal data directly from the data subject, this will not be a transfer and the transfer obligation will not apply (and neither will any onward transfers).
3. If a non-EU-based processor remotely accesses an EU-based controller’s personal data, this will be a transfer and the transfer obligation will apply.