• About us
    • About Lindahl
    • How we work
    • Said about Lindahl
    • Press
    • Find us
    • Privacy
  • Areas
    • Commercial dispute resolution
    • IT/Tech
    • Intellectual property
    • Life Sciences
    • M&A
    • All areas
  • Our people
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Helsingborg
    • Örebro
  • Latest news
    • Cases and transactions
    • News
    • Events
    • Knowledge
    • Portraits
  • Offices
    • Stockholm
    • Göteborg
    • Malmö
    • Uppsala
    • Örebro
    • Helsingborg

New EDPB guidelines on what constitutes a third country transfer

  • Home
  • Latest news
  • Knowledge
  • 2021
  • New EDPB guidelines on what constitutes a third country transfer

The European Data Protection Board (EDPB) has adopted new guidelines on when a transfer of personal data to third countries is considered to take place in accordance with the GDPR and how this is affected by the territorial scope of the Regulation. The guidelines clarify certain issues where, inter alia, the Swedish Authority for Privacy Protection has previously provided unclear information, such as what applies to employees on a business trip, but at the same time leaves several questions unanswered.

The European Data Protection Board (EDPB) has adopted new guidelines on what constitutes a transfer of personal data to third countries under the General Data Protection Regulation. The guidelines clarify the interaction between Article 3 (territorial scope of the Regulation) and the provisions relating to transfers to third countries, i.e. non-EU/EEA countries. The guidelines are also intended to help data controllers and processors in the EU identify whether a data processing is a third country transfer.

Three Criteria


The EDPB sets out three criteria, all of which must be met for data processing to be considered to constitute a third country transfer:

  1. the exporter of the data and the processing in question are covered by the General Data Protection Regulation;
  2. the exporter transmits or provides the personal data to the importer; and
  3. the importer of the data is in a third country or is an international organisation.

 

Additional Guidance for Specific Situations

The guidelines provide further guidance for all three criteria with supplementary examples of specific situations. For example, the EDPB does not consider that it is a third country transfer when personal data is provided directly by the data subject on its own initiative to a third country recipient. Another example concerns a situation where an employee goes on a business trip to a country outside the EU with their laptop, both accessing and working with personal data contained in the employer's database. That situation is not considered by the EDPB to constitute a transfer to a third country, since the employee is not their own data controller or processor, but is only a part of their employer in the EU.

 

If the Importer is in a Third Country

The EDPB also believes that data processing will be considered a transfer even if an importer in a third country is covered by the GDPR under Article 3. Instead, the decisive factor is that the importer is in a third country. The EDPB argues that in such cases the safeguard measures required for third country transfers must be adapted to the specific situation, taking into account the rules to which the importer of the personal data is already subject. Rather, the safeguards should fill gaps that may exist in local legislation, due to clashing national laws and the risk of unauthorised access for third country authorities.

Despite the many examples in the guidance, there is no clear overall principle for cases not directly addressed in the guidance. These concern, for example, issues such as transfers to branches in third countries and the importance of Article 32 in relation to the 'risk of third country transfer' where new indicative statements would be desirable.

The guidelines are out for public consultation until 31 January 2022, which means that anyone can submit a referral response.

 


Do you want to know more about this topic, or did the article raise other questions? Please feel free to contact one of the persons below within GDPR & Data Protection, or your regular contact at Lindahl.

 

Privacy

The digitalisation of society has meant that processing of personal data has become a prerequisite – and an independent value – for the activities of companies, public authorities and other organisations. In parallel with this, requirements regarding protection of employees’ and customers’ privacy have increased significantly.

Visit page

Related

  • 12/9/2021 5:21:45 PM Reminder: New standard contractual clauses from the European Commission – Time to update contract templates and negotiate existing contracts
  • 12/10/2021 5:22:33 PM New OECD recommendations raise expectations for anti-corruption efforts
  • 11/29/2021 4:06:04 PM The Whistleblowing Act – How to prepare your business

Contact

  • Pontus Etéus

    Göteborg

    pontus.eteus@lindahl.se +46 731 472 786
  • Mikael Olsson

    Uppsala

    mikael.olsson@lindahl.se +46 18 161 826
  • Ida Karlsson

    Örebro

    ida.karlsson@lindahl.se +46 736 721 753
  • Isabelle Selemba

    Helsingborg

  • Lisa Liljekvist

    Stockholm

Pages
  • Start
  • About us
  • Areas
  • Our people
  • Latest news
  • Privacy
Our offices
  • Stockholm reception.stockholm@lindahl.se +46 8 527 70 800
  • Göteborg reception.goteborg@lindahl.se +46 31 799 10 00
  • Malmö reception.malmo@lindahl.se +46 40 664 66 50
  • Uppsala reception.uppsala@lindahl.se +46 18 16 18 50
  • Örebro reception.orebro@lindahl.se +46 19 20 89 00
  • Helsingborg reception.helsingborg@lindahl.se +46 42 17 53 00
Social media
  • Connect with us on social networks: Instagram, Linkedin, Youtube, Facebook,

Disclaimer

The material and information on this site is intended for general informational purposes only and does not constitute legal advice on any specific matter. Please note that all images on Lindahl's website, www.lindahl.se, are subject to intellectual property protection and downloading, publication, copying and/or other use of the images requires the written consent of the rights holder. You'll find Advokatfirman Lindahl KB's general terms and conditions here.

Some cookies are essential, others help us improve your experience by providing insights into how the site is used. For more information, please visit our Cookie Policy.

Essential Cookies

These cookies are necessary for the functionality of the site and cannot be disabled.

Analytics Cookies>

We use Analytics cookies to collect information that gives us insight into how our website is being used. We anonymize IP addresses in Google Analytics. By clicking on Decline we won't save theese cookies.

Decline
We use cookies to get insights on how our site is used and give our visitors the best possible experience