The European Data Protection Board (EDPB) recently adopted Guidelines 05/2021 (the Guidelines) on the interplay between what it means to be outside the European Economic Area (EEA) but directly applicable to the General Data Protection Regulation (GDPR) and what constitutes an international transfer under Chapter V of the GDPR.
The Guidelines set out a ‘cumulative’ definition providing a three-step assessment, and each step of the definition needs to be satisfied before a transfer is deemed to be a transfer of personal data. The guidance seeks to address the questions raised by the European Commission (EC) when it issued the standard contractual clauses (SCCs) earlier this year. The main question is whether personal data processed by a company outside the EEA but subject to the GDPR is a transfer or not.
The Guidelines seek to settle that question that such movements of personal data are not transfers. Instead, the Guidelines state the controllers or processors of such personal data, due to their being subject to the GDPR, must apply Chapter V to the personal data they transfer to a third country as if they were located in the EEA. What can be deemed a ‘geographic’ transfer rather than a legal one separately subject to Chapter V. The Guidelines, however, are open for a consultation period, so the question does not have a definitive answer yet.