On 14 February 2023, the European Data Protection Board (EDPB) issued the final version of the “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR” (Guidelines – see this PDF). The Guidelines clarify the applicability of the provisions of the General Data Protection Regulation (GDPR) to so-called third country transfers, more commonly known as international (data) transfers.
In this article, we define a third country transfer in terms of the GDPR, and we explain why also companies that do not have an establishment in the EU but are still bound by the GDPR should take note of the Guidelines.
What rules do companies have to comply with in case of a third country transfer?
For a GDPR-compliant third country transfer, i.e. any transfer of personal data to a country outside the EU or the European Economic Area, a transfer mechanism has to be put in place ensuring that data is also adequately protected outside the EU. In a nutshell, companies can rely on one of the following transfer mechanisms:
- Adequacy decision of the European Commission: If the European Commission adopted a decision granting a specific country adequacy status, transfers to the relevant country can take place without any restrictions,
- Binding corporate rules (BCR): Their practical relevance is limited to big multinational corporations, however, as they not only have to be drafted by the company itself but also approved by the competent supervisory authority,
- Standard contractual clauses (SCCs), which are by far the most commonly used transfer mechanism, or
- Exceptions pursuant to Art. 49 GDPR, which can only be relied upon in exceptional circumstances.
What is a third country transfer?
After the decision of the Court of Justice of the European Union in Schrems II, the EDPB issued guidance on third country transfers. However, while the Recommendations 01/2020 provide an assessment of technical, organisational, and contractual measures companies can employ to ensure the adequate protection of data being transferred outside the EU, the new Guidelines 05/2021 provide criteria to determine whether a certain processing qualifies as a third country transfer as it pertains to the GDPR. One first has to identify whether a third country transfer is taking place, and if so, find a transfer mechanism to be used and ascertain whether further measures need to be put in place.
In practice, there has been no doubt that a transfer of data from a company located in the EU, i.e. subject to the GDPR, to a company outside the EU and not subject to the GDPR constitutes a third country transfer. For example, a company in Germany uses an HR software supplied by a company located in the U.S., and the personal data of German employees is transferred to the company in the U.S. via the HR software for processing.
The majority of third country transfers, such as transfers from an EU controller to a non-EU processor (service provider) fall under this category. On the contrary, no guidance has been available so far with regard to data transfers by/to companies not established in the EU but nonetheless subject to the GDPR by virtue of Art. 3 (2) GDPR, i.e. because they offer goods or services to data subjects in the EU or monitor their behaviour. The new EDPB Guidelines fill this gap and are hence especially relevant for such non-EU companies. Essentially any company required to appoint an EU representative should take cognizance of the Guidelines.
According to the EDPB, for a certain processing operation to be considered a third country transfer, three conditions have to be fulfilled cumulatively:
- The initial controller or processor is subject to the GDPR for the given processing,
- This controller or processor (exporter) discloses by transmission or otherwise makes relevant personal data available to another controller, joint controller or processor (importer), and
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3 (2) GDPR.
First condition: The exporting company is subject to the GDPR
For a processing operation to be considered a third country transfer, the initial controller or processor – i.e. the company that intends to transfer data – must first be subject to the GDPR for that specific processing operation. Due to the extraterritorial scope of the GDPR, this comprises not only all companies established in the EU but also non-EU companies that fall under the applicability of the GDPR pursuant to Art. 3 (2) GDPR, as discussed above.
What follows is a practical example: A U.S. mobile app developer providing its services to data subjects in the EU and hence being subject to the GDPR will have to comply with the GDPR provisions on third country transfers when employing a processor located outside the EU, even if the processor is also located in the U.S.
The EDPB emphasizes that whether or not the GDPR applies must always be assessed in relation to a certain processing operation rather than with regard to a specific entity (e.g., a company). A company may be outside the application of the GDPR for all processing operations, except for one, and must then still comply with the GDPR for that one specific processing operation.
Second condition: The exporter discloses the data or otherwise makes it available to another controller or processor outside the EU
Like the first condition, the second condition has also been largely undisputed in legal practice. Nonetheless, the EDPB Guidelines provide some useful clarifications regarding the second criterion.
The EDPB provides the following examples of how personal data could be “made available”:
- by creating an account,
- granting access rights to an existing account,
- confirming or accepting an effective request for remote access,
- embedding a hard drive, or
- submitting a password to a file.
The EDPB clarifies that remote access from a third country (even if it takes place only by means of displaying personal data on a screen, for example in support situations, troubleshooting or for administration purposes) and/or storage in a cloud situated outside the EEA offered by a service provider, are also considered to be a transfer.
In particular, the EDPB underlines that two separate controllers and/or processors have to be involved in a processing operation for it to be considered a third country transfer. Hence, situations where the data subject herself directly and on her own initiative discloses personal data to a non-EU company – e.g. a European traveler booking a hotel room in Brazil – are not considered third country transfers.
Similarly, an employee remotely accessing personal data held by the company she works for in the EU while being on a business trip in a third country does not constitute a third country transfer, as the employee is not a separate controller but rather an integral part of the company for which she works.
In both cases, the requirements on third country transfers set forth in Chapter V of the GDPR do not apply. Nonetheless, as underlined by the EDPB, the company might still be required to put appropriate data protection measures in place to comply with other obligations enshrined in the GDPR. As a last resort, the controller may even conclude that such processing cannot take place at all, for example, by prohibiting employees to take their laptops to certain third countries considered particularly risky.
Note for corporate groups: Entities which form part of the same corporate group may qualify as separate controllers or processors. Consequently, data transfers between entities belonging to the same corporate group (intra-group data disclosures) may constitute international transfers of personal data.
Third condition: The importer is in a third country, irrespective of whether it is subject to the GDPR pursuant to Art. 3(2) GDPR
The third criterion requires that the receiving company (importer) is geographically in a third country. Hereby, it is irrelevant whether the relevant data processing falls under the GDPR pursuant to Art. 3 (2) thereof.
The EDPB reasons that even though the processing at hand is covered by the GDPR, this protection might be undermined by national legislation of the country of the data importer, for example, if the rules on government access to personal data go beyond what is necessary and proportionate in a democratic society. The application of the GDPR rules on third country transfers shall compensate this risk. In the same vein, the EDPB notes that the fact that the importer is already bound by the GDPR has to be taken into account: The application of the rules on third country transfers shall not duplicate the GDPR obligations already in place but merely “fill in the gaps” where necessary.
The practical problem lies in the fact that the SCCs of 2021 – the only set of SCCs currently available and often the only mechanism that comes into question for a specific transfer situation – explicitly state that they may be used merely in cases where the processing by the importer is not already covered by the GDPR.
Currently, companies might often not have an appropriate transfer mechanism for transfers to non-EU companies bound by the GDPR pursuant to Art. 3 (2) thereof, as the existing SCCs are not meant to be used in such situations and a dedicated set of SCCs for such transfers does not yet exist. Indeed, the European Commission announced its intention to develop a specific set of SCCs for transfers to importers subject to Art. 3 (2) GDPR (SCCs lite). However, it might take years before these become effective. In the meantime, affected companies are facing legal risks in case they want to transfer data abroad, as they will often have no transfer tool available that would fully fit to the intended processing operations.
Conclusion
The new EDPB Guidelines provide for valuable guidance on the notion of a third country transfer pursuant to the GDPR, thereby clarifying when companies must comply with the requirements for third country transfers. The Guidelines are particularly relevant for non-EU companies bound by the GDPR by virtue of its Art. 3(2), as thus far, no comparable guidance has existed.
Unfortunately, the Guidelines did not solve the problems pertaining to transfers to non-EU companies covered by the extraterritorial scope of the GDPR but rather raised additional questions hereto. Furthermore, it is still unclear when the European Commission will publish a dedicated set of SCCs for transfers to companies falling under Art. 3 (2) GDPR.
Please feel free to subscribe to our newsletter to be informed once this occurs.