Оn 19 November 2021, the European Data Protection Board (EDPB) published the draft guidance on the interplay between the provisions of the GDPR on territorial scope (in Article 3) and on international data transfers (Chapter V).
The proposed guidance is highly relevant for any organization engaging providers in third countries or processing personal data of individuals in the EU.
The draft guidelines will be open for consultation until 31 January 2021.
The draft guidelines suggest that to qualify as a data transfer to third country, a processing operation should comply with the three cumulative criteria. If these criteria are not met, there is no “transfer” and Chapter V of the GDPR does not apply. The EDPB names the following three criteria and provides detailed examples for each criterion:
- a controller or a processor is subject to the GDPR for the given processing;
this controller or processor (defined as exporter) “discloses by transmission or otherwise makes personal data, subject to this processing, available” to another controller, joint controller or processor (defined as importer). This explicitly excludes situations of buying items online from a non-EEA web shop. In relation to a corporate group, the EDPB notes that entities which form part of the same corporate group may qualify as separate controllers or processors, and therefore the transfer situation (and applicability of Chapter V) will apply;
the importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3. The EDPB emphasizes that the importer should be geographically in a third country (or is an international organization), regardless of whether the processing at hand falls under the scope of the GDPR.
During the consultation period, any interested party may provide an opinion on the draft guidelines.