The European Data Protection Board (“EDPB”) published on 14 February 2023, an updated and final version of the Guidelines 05/2021 on the interaction between the application of Article 3 and the provisions on international transfers under Chapter V of the GDPR (EDPB Guidelines 05/2021). While the main message of the document remains unchanged from the initial version published in 2021, the EDPB has provided additional details to clarify its three crucial criteria for categorizing the processing of personal data as a transfer to a third country in the updated guidelines.
Transfer to a third country
As the GDPR doesn’t define “transfer of personal data to a third country or international organization” and there is limited case law on this, the EDPB has established criteria for such transfers:
- Controller/Processor (“exporter”) are subject to the GDPR for certain processing.
- The exporter will transmit or otherwise disclose the personal data subject to this processing and make it available to another controller, joint controller or processor (“importer“), and
- If the importer is located in a third country, it is irrelevant whether this importer is subject to the GDPR for the given processing pursuant to Article 3 of the GDPR or is an international organization.
Processing activities that don’t meet these criteria can’t be considered transfers under the GDPR.
The EDPB mandates that controllers adhere to GDPR provisions and process activities irrespective of their location, even if Chapter 5 of the GDPR doesn’t apply. Processing outside the EU can pose risks, such as conflicting domestic laws or third-country authorities’ disproportionate access rights, as in the case of an EU controller’s employee accessing their data while in a third country. Controllers should assess these risks and implement appropriate data security measures before transferring personal data.
In this regard, the Commission of the independent German federal and state data protection supervisory authorities (Datenschutzkonferenz –”DSK“) – The Commission, composed of federal and state data protection supervisory authorities, addresses and comments on current data protection issues in Germany current data protection legislation (DSK resolution of 31 January 2023), the mere risk that public authorities in a third country may request the transmission of personal data to a third country is not sufficient to envision a transfer of data within the meaning of Article 2. 44 onwards. GDPR itself.
EDPB and DSK offer examples of security measures to take in such situations, such as implementing suitable technical and organizational measures, conducting a thorough analysis of third-country laws, ensuring guarantees from contract partners and assessing associated risks that may arise from the transfer.
Standard specification
The EDPB has now specified the above criteria in the second edition of the guidelines 05/2021. To this end, the EDPB will comply with Art. 3 GDPR and Chapter V of the GDPR.
Criterion 2 is particularly relevant because making personal data available, such as through remote access from a third country or cloud storage outside the EEA, satisfies this criterion. This condition also meets other criteria. However, if the processing activity is solely internal to the controller and the data is not shared with another controller or processor, and therefore doesn’t leave the controller’s organizational structure, the personal data won’t be considered ‘available’ to a different controller/processor. Example 8.1 of Guideline 05/2021 illustrates this scenario.
The final example in the EDPB’s guidelines is crucial for data protection practices, involving an EU-based controller contracting with a processor who is also a subsidiary of their EU-based but third-country-based company. Although transfers of personal data from controllers to processors aren’t considered third-country transfers, if the subsidiary processor is subject to third-country laws and extraterritoriality applies, it could become problematic.
This could lead to third-country authorities demanding personal data processed by the processor on behalf of the controller to be transmitted to them according to applicable local law, which the EDPB considers a third-country transfer. If the controller prohibits such transfers in their Data Processing Agreement, the Processor would be deemed the controller of the processing operation under Art. 28(10) GDPR.
It’s the controller’s responsibility to check beforehand if entrusted processors are subject to third-country access rights and take necessary technical and organizational measures to ensure compliance with Chapter V of GDPR.
Conclusion
EDPB’s non-binding guidelines 05/2021 are valuable in providing understandable and user-friendly guidance on transfers to third countries within the scope of the GDPR. These guidelines also highlight that data controllers may still risk violating GDPR even if the data flow isn’t considered a transfer to a third-country, although this risk is more abstract. Considering the complexity of processing operations involving additional controllers or processors, it’s recommended to limit the transfer of personal data to third-countries and implement appropriate security measures to avoid potential fines.
Additionally, EDPB’s clarification that transfers of personal data by EU-based processors to third-country authorities may contradict instructions and deem the processor a controller under art. 28(10) of GDPR is noteworthy.
DELTA Data Protection & Compliance, Inc. Academy & Consulting – The DELTA NEWS – Visit: delta-compliance.com
