EU: EDPB releases guidelines on interplay between Article 3 and Chapter V of GDPR
The European Data Protection Board ('EDPB') published, on 19 November 2021, its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, as adopted on 18 November 2021. In particular, the guidelines aim to clarify the interplay between Article 3 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and the provisions of the GDPR on international transfers in Chapter V in order to assist controllers and processors in the EU in identifying whether data processing constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.
More specifically, the guidelines identify the three following cumulative criteria that qualify data processing as a transfer:
- a controller or a processor is subject to the GDPR for the given processing;
- this controller or processor (i.e. the exporter) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (i.e. the data importer); and
- the importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.
The guidelines provide further guidance on each of these criteria with supplementary examples of specific processing situations which the EDPB has considered. For example, the examples provided clarify that the second criterion listed above is neither fulfilled in cases where the controller in a third country collects data directly from a data subject in the EU, nor in cases of remote access of personal data in a third country by an employee of the controller.
In addition, the guidelines outline that, if all of the criteria are met, there is a 'transfer to a third country or to an international organisation', and the controller or processor in the given processing situation will therefore be required to comply with the conditions of Chapter V and frame the transfer by using the instruments provided in Chapter V, which aim at protecting personal data after they have been transferred to a third country or an international organisation.
Furthemore, the guidelines note that such instruments include the existence of an adequate level of protection in the third country or international organisation to which the data is transferred, or in the absence of such adequate level of protection, the implementation by the exporter of appropriate safeguards as provided for in Article 46 of the GDPR. Further to this point, the guidelines highlight that the content of the Article 46 safeguards needs to be customised depending on the situation, noting for example the modular approach in the Standard Contractual Clauses ('SCCs') adopted by the European Commission in June 2021. Accordingly, the guidelines provide that when developing transfer tools such as SCCs, the Article 3(2) situation should be taken into account in order not to duplicate the GDPR obligations but rather to address the elements and principles that are missing and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country, as well as the difficulty to enforce and obtain redress against an entity outside the EU.
Further to the above, the guidelines encourage the development of a transfer tool, such as a new set of SCCs, in cases where the importer is subject to the GDPR for the given processing in accordance with Article 3(2).
You can read the guidelines here.