November.22.2021
On November 19, 2021, the European Data Protection Board (“EDPB”) issued draft guidance on the interplay between Article 3 of the General Data Protection Regulation (“GDPR”) and the provisions on international transfers outlined in Chapter V GDPR (“Guidance”). The Guidance aims to clarify various international data transfer questions, including when the provisions for international transfers under Chapter V GDPR apply and, if so, which mechanisms under Chapter V GDPR can be relied on.
These questions became a hot topic when the European Commission stated that the new standard contractual clauses of 2021[1] (“2021 SCC”) only apply to data transfers between a data exporter and a data importer who itself is not subject to GDPR by virtue of Article 3. However, it was left unclear whether in such a scenario no SCCs would be needed (as Chapter V GDPR would not apply) or whether alternative SCCs would be required and what to do in the interim until such new SCCs are adopted.
The FAQs below summarizes and provide recommendations for the key points outlined in the new Guidance. You can also listen to our discussion about the new Guidance or use our complimentary Cross-Border Data Transfer (XBT) Tool to assess your risk during international data transfers.
Yes. Putting an end to long-running controversy[2], the EDPB clearly stated that any transfer from an EU-based data exporter (be it a controller or a processor) to a data importer based outside the EU is a transfer within the meaning of Art. 44 GDPR and thus subject to Chapter V GDPR. This applies regardless of whether the data importer is itself subject to the GDPR. As a result, in most cases, data importers will need to enter into SCCs or adopt Binding Corporate Rules.
No. Recital 7 of the 2021 SCC [3] stated that the new SCCs may be used “for such transfers only to the extent that the processing by the importer does not fall within the scope of Regulation (EU) 2016/679.” As a result, where the data importer is a controller or processor and at the same time also itself subject to the GDPR, for example, because of rendering services to individuals living in the EU, the new SCCs would not apply. That does, however, not mean that no additional safeguards are needed. Unfortunately, as shown in the answer to question number 3 below, the EDPB does not give clear instruction on what to do.
Currently, there is no clear solution for such data importers. The European Commission announced that will work on a new set of SCCs that would address such situations and the EDPB noted that such clauses will focus on the protection from other legislation applicable to the importer. In particular, government access in the third country would need to be addressed and the importer would need to implement adequate security measures.[4] However, until these newer SCCs are adopted, companies face a great deal of uncertainty. Since the old SCCs of 2001 and 2004 can no longer be used for new data transfers, it seems sensible to use the 2021 SCC for the time being. Companies should also perform a transfer impact assessment as required by the Schrems II ruling of the CJEU.
The EDPB clarified that a so-called “direct collection” of personal data from individuals in the EU does not constitute a transfer within the meaning of Art. 44 GDPR and thus does not trigger the requirements under Chapter V GDPR because there is no transfer from a controller or processor. Companies located outside the EU who offer goods and services to individuals in the EU thus do not need to meet the requirements under Chapter V GDPR. However, the EDPB stressed that companies who are subject to the GDPR need to respect the other principles of the GDPR, in particular, Art. 32 but also Art. 48 GDPR.[5] Their security measures need to address the collection and storage data risks in a country where such data is subject to access by law enforcement beyond what is justifiable in the EU. Arguably, this could be understood as to require such companies to conduct a transfer assessment like the one outlined in the EDPB guidelines published in June 2021 (updated version).
Entities with establishments in the EU and outside the EU were often faced with the question of whether their intra company data transfers from the EU to other establishments of the same entity outside the EU must meet the Chapter V GDPR requirements. The EDPB clarified that a transfer within the meaning of Art. 44 (Chapter V GDPR) requires two parties, a data exporter and a data importer.[6] Whenever there are data transfers between parts of the same entity, be it, for example, a sharing of data with an employee traveling overseas[7] or between two establishments belonging to the same entity, the transfer does not fall under Art. 44 et seq. However, since all other requirements under the GDPR must be met, Art. 32 GDPR applies, and the security measures need to reflect the specific risks arising with the exposure of personal data to a third jurisdiction outside the EU (see considerations under question number 4 above).
Yes, the Guidance clarifies that processors also need to comply with Chapter V GDPR. The EDPB provides various examples to explain when processors need to take special precautions to meet the Chapter V GDPR requirements:
[1] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
[2] See Kühling/Buchner-Schröder, Commentary of the GDPR/BDSG, 3rd. Ed. 2020 –Art. 44 paragraph 16a et seq. with further references to the differing views.
[3] Cf. Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.