6 Key Things to Know about the New EDPB Guidance on International Data Transfers

November.22.2021

On November 19, 2021, the European Data Protection Board (“EDPB”) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (“GDPR”) and the provisions on international transfers outlined in Chapter V GDPR (“Guidance”). The Guidance aims to clarify various international data transfer questions, including when the provisions for international transfers under Chapter V GDPR apply and, if so, which mechanisms under Chapter V GDPR can be relied on.

These questions became a hot topic when the European Commission stated that the new standard contractual clauses of 2021[1] (“2021 SCC”) only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR by virtue of Article 3. However, it was left unclear whether in such a scenario no SCCs would be needed (as Chapter V GDPR would not apply) or whether alternative SCCs would be required and what to do in the interim until such new SCCs are adopted.

The FAQs below summarizes and provide recommendations for the key points outlined in the new Guidance.

1.    Are data transfers from an EU-based data exporter to a data importer outside the EU subject to the requirements under Chapter V GDPR if the data importer is subject to the GDPR?

Yes. Putting an end to long-running controversy[2], the EDPB clearly stated that any transfer from an EU-based data exporter (be it a controller or a processor) to a data importer based outside the EU is a transfer within the meaning of Art. 44 GDPR and thus subject to Chapter V GDPR. This applies regardless of whether the data importer is itself subject to the GDPR. As a result, in most cases, data importers will need to enter into SCCs or adopt Binding Corporate Rules.

2.    Do the new SCCs issued in June 2021 cover data transfers to data importers who are subject to GDPR?

No. Recital 7 of the 2021 SCC [3] stated that the new SCCs may be used “for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.” As a result, where the data importer is a controller or processor and at the same time also itself subject to the GDPR, for example, because of rendering services to individuals living in the EU, the new SCCs would not apply. That does, however, not mean that no additional safeguards are needed. Unfortunately, as shown in the answer to question number 3 below, the EDPB does not give clear instruction on what to do.

3.    What should data importers subject to GDPR do in the absence of clarity on the applicable transfer mechanism?

Currently, there is no clear solution for such data importers. The European Commission announced that will work on a new set of SCCs that would address such situations and the EDPB noted that such clauses will focus on the protection from other legislation applicable to the importer. In particular, government access in the third country would need to be addressed and the importer would need to implement adequate security measures.[4] However, until these newer SCCs are adopted, companies face a great deal of uncertainty. Since the old SCCs of 2001 and 2004 can no longer be used for new data transfers, it seems sensible to use the 2021 SCC for the time being. Companies should also perform a transfer impact assessment as required by the Schrems II ruling of the CJEU.

4.    What if a company outside the EU collects data from individuals in the EU?

The EDPB clarified that a so-called “direct collection” of personal data from individuals in the EU does not constitute a transfer within the meaning of Art. 44 GDPR and thus does not trigger the requirements under Chapter V GDPR because there is no transfer from a controller or processor. Companies located outside the EU who offer goods and services to individuals in the EU thus do not need to meet the requirements under Chapter V GDPR. However, the EDPB stressed that companies who are subject to the GDPR need to respect the other principles of the GDPR, in particular, Art. 32 but also Art. 48 GDPR.[5] Their security measures need to address the collection and storage data risks in a country where such data is subject to access by law enforcement beyond what is justifiable in the EU. Arguably, this could be understood as to require such companies to conduct a transfer assessment like the one outlined in the EDPB guidelines published in June 2021 (updated version).

5.    What about transfers between EU and non-EU based establishments of the same entity?

Entities with establishments in the EU and outside the EU were often faced with the question of whether their intra company data transfers from the EU to other establishments of the same entity outside the EU must meet the Chapter V GDPR requirements. The EDPB clarified that a transfer within the meaning of Art. 44 (Chapter V GDPR) requires two parties, a data exporter and a data importer.[6] Whenever there are data transfers between parts of the same entity, be it, for example, a sharing of data with an employee traveling overseas[7] or between two establishments belonging to the same entity, the transfer does not fall under Art. 44 et seq. However, since all other requirements under the GDPR must be met, Art. 32 GDPR applies, and the security measures need to reflect the specific risks arising with the exposure of personal data to a third jurisdiction outside the EU (see considerations under question number 4 above).

6.    Do the requirements under Chapter V GDPR also apply to processors?

Yes, the Guidance clarifies that processors also need to comply with Chapter V GDPR. The EDPB provides various examples to explain when processors need to take special precautions to meet the Chapter V GDPR requirements:

  • Example 3: Covers the scenario where a controller located outside the EU sends data to a processor located inside the EU. Even though such data may not relate to EU individuals, the EU-based processor is based on Art. 3 paragraph 1 GDPR subject to GDPR. In line with Art. 44 paragraph 1 GDPR, it needs to secure that the transfer of the processed data back to the controller outside the EU meets the safeguards required under Chapter V GDPR. This situation may often be covered by Module 4 of the 2021 SCCs.
  • Example 4: Describes the scenario where an EU-based processor engages a sub-processor located outside the EU. This scenario, for example, applies to an EU based SaaS provider who engages a hosting provider located outside the EU. In such a scenario, the EU based processor needs to comply with Chapter V GDPR. Most often, the clauses under Module 3 of the 2021 SCCs can be used.

 



[1] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

[2] See Kühling/Buchner-Schröder, Commentary of the GDPR/BDSG, 3rd. Ed. 2020 –Art. 44 paragraph 16a et seq. with further references to the differing views.

[3] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

[4] See paragraph 3 and 23 of the Guidance.

[5] See paragraphs 5 and 17 of the Guidance.

[6] See paragraph 7, 15 of the Guidance.

[7] See example 5 in paragraph 14 of the Guidance.