On November 18, 2021, the European Data Protection Board (“EDPB”) issued guidelines on the interplay between provisions in the General Data Protection Regulation (“GDPR”) governing scope and applicability and those governing international data transfer. Specifically, the EDPB outlined three criteria that should be used to determine whether a “transfer” of personal data to a country outside of the European Economic Area (“EEA”) has occurred, triggering additional safeguard obligations.

Transfer, “Defined”

The GDPR regulates the processing of personal data within the EEA as well as transfers of that data to countries outside of the EEA (“third countries”) to ensure that data has safeguards that meet a “standard of essential equivalence”¹ to the protection afforded by the GDPR and laws of Member States, including derogations. The EDPB’s latest guidance seeks to clarify that a “transfer” requiring compliance with Chapter V of the GDPR takes place when each of the following three criteria is met:

1. A controller or processor is subject to the GDPR for the given processing;
2. The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data available to another controller, joint controller or processor (“importer”); and
3. The importer is in a third country or is an international organization, regardless of whether the importer is subject to the GDPR under Article 3.

Exporter’s Processing Activity Is Subject to the GDPR

The first criterion requires that the controller or processor who will eventually export the data falls within the scope of the GDPR for the given processing activity. Under Article 3 of the GDPR, it applies to the processing of personal data:

1. in the context of the activities of an establishment of a controller or a processor in the EEA, regardless of whether the processing takes place in the EEA;
2. of data subjects who are in the EEA by a controller or processor not established in the EEA, where the processing activities are related to the offering of goods and services in the EEA or monitoring of data subject behavior that takes place in the EEA;
3. by a controller not established in the EEA but where the member state law applies by virtue of public international law.

An exporter for that given processing activity must fall within the scope of one or more of the criteria listed above in order for a “transfer” to have occurred that triggers the applicability of Chapter V of the GDPR.

Exporter (Not Data Subject) Makes Data Available to Importer

The second criterion seeks to answer an important question: does a transfer occur where the data was disclosed directly by the data subject to a controller at her own initiative? The EDPB has answered “no.” A transfer that incurs additional obligations under Chapter V of the GDPR requires that the data is sent or made available by a controller or processor, not the data subject herself.

In addition, the second criterion clarifies that internal transfers within the same entity do not qualify as transfers. Note, however, that transfers between entities that form part of the same corporate group may constitute transfers of personal data if the remaining criteria are met.

Importer Is in a Third Country or Is an International Organization

The third criterion requires that the importer be geographically in a third country or in an international organization. Transfers inside the EEA do not constitute transfers requiring additional protections.

Appropriate Safeguards

If all three criteria are met, there is a “transfer” requiring additional measures under Chapter V. Under the GDPR, there are three scenarios in which an entity can legitimately transfer personal data to a receiver outside of the EEA: (1) the receiver is located within an area covered by an adequacy decision; (2) appropriate safeguards have been established to protect individuals’ rights to their personal data; or (3) an exception, such as explicit consent, covers the transfer.

Adequacy decisions are made by the European Commission and establish that a given country has adequate data protection and privacy measures. For transfers that do not fall within the scope of an existing adequacy decision, “appropriate safeguards” must be established. Article 46 of the GDPR lists several mechanisms that can be used to legitimize a transfer, including standard contractual clauses, binding corporate rules, codes of conduct, certification mechanisms, ad hoc contractual clauses, and international agreements or administrative arrangements.

What This Means for You

The EDPB’s guidance is instructive for companies attempting to determine which of their data processing activities must comply with Article V of the GDPR. For example, this guidance can be used to determine whether a contract with a data processor should include EU standard contractual clauses. It may encourage companies whose processing activities are not otherwise subject to the GDPR to use that collection method rather than filtering the data through processors established in the EU. It may lead to companies whose processing activities are not otherwise subject to the GDPR using that collection method rather than processors established in the EU.  However, controllers and processors alike should remember that, although a particular data flow may not constitute a transfer under Chapter V, such processing is not necessarily exempt from obligations under the GDPR. Regardless of whether the processing takes place in the EEA or not, controllers and processors involved in processing activities under Article 3 should continue to take steps to comply with all applicable provisions of the GDPR, including  Article 32’s obligation to implement technical and organizational measures to protect personal data.

¹ See EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data and EDPB Recommendations 02/2020 on the European Essential Guarantees for surveillance measures.