New EDPB guidelines about the definition of “international transfers”

Here is a 5-bullet points summary of the new EDPB guidelines defining the concept of “international transfers“:

1.- On 18 November 2021, the European Data Protection Board (the “EDPB”) published long-awaited guidelines on the interplay between Article 3 and Chapter V GDPR.

Guidelines are subject to public consultation until the end of January.

2.- The GDPR does not provide for a legal definition of the concept of “international transfers” (i.e. what constitutes a “transfer of personal data to third country or to an international organisation”). Clarifications were therefore welcome.

The aim of these Guidelines is to clarify the notion of “international data transfer” in order to assist EU controllers and processors in identifying whether a processing constitutes an international transfer and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.

3.- According to the EDPB Guidelines, three cumulative criteria must be met to qualify a processing as an international data transfer:

• The data exporter (a controller or processor) is subject to the GDPR for the given processing.
• This data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor).
• The data importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

4.- However, the EDPB states that the collection of data directly from EU data subjects does not constitute an international transfer. Therefore, no transfer mechanism must be adopted.

5.- Based on the third criterion, the importer shall be geographically in a third country or is an international organisation, regardless of whether the processing at hand falls under the scope of the GDPR. This may appear surprising since the Recital 7 of the new Standard Contractual Clauses of the European Commission clearly indicates that the SCCs could not be used for the transfer to non-EU data importers already subject to the GDPR (including based on the extraterritorial application of Article 3(2)). EDPB therefore creates new complexity by requiring the adoption a new transfer tool.

In the EDPB’s minutes (point 2) of its plenary meeting held in September 2021, the EDPB stated that following the adoption of these Guidelines, the EU Commission intends to develop a specific set of SCCs regarding transfers to importers subject to Article 3(2) GDPR.