BCLP Global Data Privacy FAQ: what counts as a “transfer” of data under the EU GDPR? New draft EU guidelines published | Bryan Cave Leighton Paisner

Summary

It is well known that the EU GDPR (in particular, Chapter V) limits transfers of personal data from the EU to a “third country” (i.e. a jurisdiction outside the EU. EEA) or to an international organization. But what do we mean by “transfer”? And how does this apply when the extraterritorial scope of the EU GDPR (as defined in Article 3) means that an organization outside the EEA is required to comply with the GDPR of the EU. ‘EU, including Chapter V, while personal data may already be outside the territory of the EU?

On November 19, 2021, the European Data Protection Board (“EDPS”) Published project Guidelines 05/2021 on the interaction between the application of article 3 and chapter V of the GDPR. The EDPB has identified three criteria that must all be met for a “transfer” to occur:

1. A controller or processor is subject to the EU GDPR for the given processing.

First of all, the exporting organization must be submitted to the EU GDPR for the corresponding processing. Under Article 3 (2) this therefore includes organizations not established in the EU which are subject to the EU GDPR on the grounds of “targeting” of goods / services or “behavior monitoring”. A transfer could therefore take place between two organizations based in a “third country” (for example, a controller in the United States and a processor based in the United States or Brazil).

2. This controller or processor (“exporter”) discloses by transmission, or otherwise makes the personal data, subject to such processing, available to another controller, co-controller or processor ( “Importer”).

The draft guidance offers a number of interesting information on this aspect:

• Online consumers: There will be no transfer when personal data is disclosed directly and on the initiative of a data subject in the EU to a controller or processor located in a third country, for example by the ‘intermediary of a customer in Italy entering personal data into the online form of a retailer established in Singapore that does not have a presence in the EU. If this stays in the final guidelines, it will be well received by online retailers.
• Separate entities: There will only be a transfer when the personal data is shared between two separate controllers and / or subcontractors; disclosures of data between entities of the same group of companies can therefore constitute transfers.
• International business trips: When personal data is accessed remotely from a third country, it will not be a transfer when the data is accessed by an employee (on the basis that such an employee is an “integral part of the controller And not a separate importing entity). For example, an employee accessing personal data through their employer’s computer systems while on a business trip to India will not constitute a “transfer” under Chapter V. Organizations should always apply the appropriate technical and organizational measures. to data (Article 32, EU GDPR) and could conclude that employees cannot bring their laptops to certain countries, based on a security risk assessment.

3. The importer is located in a third country or is an international organization, whether or not such importer is subject to the EU GDPR with regard to the processing given in accordance with Article 3.

The draft guidelines state that if the importer is to be in a third country (or an international organization), it does not matter whether or not they are subject to the EU GDPR when deciding whether a transfer takes place.

• Sending data “at home”: the draft guidance gives two examples where processors in the EU return personal data to organizations responsible for processing in a third country. In one example, the importer is subject to the EU GDPR (offering goods and services to individuals in the EU) and in the other, the importer is not. Chapter V will apply to both situations, although the guidance suggests that the expected guarantees may well be different.

In our next FAQ, we will examine what consequences and expectations may arise from these different types of “transfer” in terms of guarantees, and the current reflection on whether the new standard contractual clauses of the European Commission of June 2021 (“CSC“) can be used when the importer is subject to the EU GDPR.

The EDPB’s draft guidelines are the subject of a public consultation which should end on January 31, 2022.