Privacy Talk

Pdf version Archive Subscribe
Your business • December 2021

Clarifications from the EDPB on data transfers to third countries

What you need to know.

The transfer of personal data from within the European Economic Area (‘EEA’) to a third country is only permitted if your company can guarantee that the personal data transferred to that third country enjoy protection equivalent to that afforded within the EEA. How this protection can be guaranteed is defined in Chapter V of the General Data Protection Regulation (‘GDPR’) (see this Privacy Talk).

It is thus important to know exactly when there is such a transfer to a third country. This concept is not defined in the GDPR. Therefore, the European Data Protection Board (‘EDBP’) in recent (draft) guidelines has set out the three cumulative criteria that qualify a processing operation as a transfer to a third country:

  1. First, the company exporting the personal data for such processing (be it as a controller or processor) must fall within the territorial scope of the GDPR. Thus, it cannot only be a company based in the EEA, but also a company based outside the EEA to the extent that it offers its goods and services to persons within the EEA or monitors the conduct of persons within the EEA.
     
  2. It is that company (the data exporter) which must transfer the personal data. Situations in which the data subject directly discloses his or her personal data are not considered a ‘transfer’ to which Chapter V of the GDPR applies. Furthermore, the personal data must be transferred to another (joint) controller or processor.
     
  3. This data importer must be established in a third country. It does not matter whether the data importer falls within the territorial scope of the GDPR or not.

Thus, these guidelines confirm that the transfer of personal data to a company in a third country which itself falls within the scope of the GDPR is also regarded as a 'transfer'.

Unfortunately, the guidelines do not elaborate on the concept of 'transfer' itself. They confirm that mere access to personal data should be considered as a transfer, but do not give other examples, such as e.g. copying in colleagues or other contacts in an e-mail to a company located outside the EEA. In line with the Lindqvist judgment of the European Court of Justice, this probably should not be regarded as a transfer, but a clear confirmation would have been welcome.

What you need to do.

Based on the three criteria above, you will need to determine whether any processing of your company constitutes a transfer to a third country. Then, for these processing operations, you will need to determine whether the personal data enjoy equivalent protection in that third country (see this Privacy Talk).

You should keep in mind that transfers within a group of companies may also qualify as a ‘transfer to a third country’ under the GDPR. The transfer of personal data by a subsidiary within the EEA to its parent company located in India, for example, must be qualified as a transfer to a third country and thus falls under the obligations of Chapter V of the GDPR.

When personal data are passed on between what are not two separate entities (each of them a (joint) controller or processor), it does not constitute a transfer. For example, if an employee of your - EEA-based - company goes on a business trip outside the EEA and remotely accesses your company's databases via his or her work computer, this does not constitute a 'transfer'. Your employee is not considered to be a data controller, but an integral part of your company.

That said, even if a processing of personal data does not constitute a ‘transfer’, it is appropriate to pay extra attention if the processing takes place in a third country. The GDPR requires that appropriate technical and organisational (security) measures be implemented which are appropriate to the risks presented by the processing (Articles 24 and 32 GDPR). The legal system of a third country can entail additional risks (e.g., in terms of government interference). Your company may thus decide to make certain processing impossible, such as remote access to certain databases from certain third countries, even if there is no actual transfer to a third country.

Please consult our website or contact one of our team members if you have questions or require more information: