The European Data Protection Board (EDPB) has adopted new guidelines on when a transfer of personal data to third countries is considered to take place in accordance with the GDPR and how this is affected by the territorial scope of the Regulation. The guidelines clarify certain issues where, inter alia, the Swedish Authority for Privacy Protection has previously provided unclear information, such as what applies to employees on a business trip, but at the same time leaves several questions unanswered.
The European Data Protection Board (EDPB) has adopted new guidelines on what constitutes a transfer of personal data to third countries under the General Data Protection Regulation. The guidelines clarify the interaction between Article 3 (territorial scope of the Regulation) and the provisions relating to transfers to third countries, i.e. non-EU/EEA countries. The guidelines are also intended to help data controllers and processors in the EU identify whether a data processing is a third country transfer.
The EDPB sets out three criteria, all of which must be met for data processing to be considered to constitute a third country transfer:
- the exporter of the data and the processing in question are covered by the General Data Protection Regulation;
- the exporter transmits or provides the personal data to the importer; and
- the importer of the data is in a third country or is an international organisation.
Additional Guidance for Specific Situations
The guidelines provide further guidance for all three criteria with supplementary examples of specific situations. For example, the EDPB does not consider that it is a third country transfer when personal data is provided directly by the data subject on its own initiative to a third country recipient. Another example concerns a situation where an employee goes on a business trip to a country outside the EU with their laptop, both accessing and working with personal data contained in the employer's database. That situation is not considered by the EDPB to constitute a transfer to a third country, since the employee is not their own data controller or processor, but is only a part of their employer in the EU.
If the Importer is in a Third Country
The EDPB also believes that data processing will be considered a transfer even if an importer in a third country is covered by the GDPR under Article 3. Instead, the decisive factor is that the importer is in a third country. The EDPB argues that in such cases the safeguard measures required for third country transfers must be adapted to the specific situation, taking into account the rules to which the importer of the personal data is already subject. Rather, the safeguards should fill gaps that may exist in local legislation, due to clashing national laws and the risk of unauthorised access for third country authorities.
Despite the many examples in the guidance, there is no clear overall principle for cases not directly addressed in the guidance. These concern, for example, issues such as transfers to branches in third countries and the importance of Article 32 in relation to the 'risk of third country transfer' where new indicative statements would be desirable.
The guidelines are out for public consultation until 31 January 2022, which means that anyone can submit a referral response.
Do you want to know more about this topic, or did the article raise other questions? Please feel free to contact one of the persons below within GDPR & Data Protection, or your regular contact at Lindahl.