Ducks overlooking outside scenery on bridge.

EU Data Protection Board guidance on international data transfers

Published on 07 July 2023

The question

How does the recent guidance issued by the European Data Protection Board (EDPB) assist businesses in complying with the EU GDPR when carrying out international data transfers?

The key takeaway

The EDPB has clarified the circumstances in which parties must take additional steps to ensure that personal data is safeguarded when it is transferred to data controllers or processors located outside the EEA.

The background

In February this year, the EDPB issued guidance (the Guidance) to help data controllers and processors comply with the EU GDPR when transferring data internationally. The official title of the Guidance is: “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”.

Article 3 sets out the territorial scope of the EU GDPR. Under Chapter V of the EU GDPR, a transfer of personal data to a country outside the EU (a Restricted Transfer) may only take place if either (i) the third country is subject to an adequacy decision; or (ii) appropriate safeguards have been used (eg standard contractual clauses or binding corporate rules), which aim to create enforceable legal rights and effective legal remedies to ensure that data which is transferred outside the EU is kept safe. The provisions of Chapter V aim at ensuring the continued protection of personal data after it has been transferred to a third country or to an international organisation. However, there has since been some confusion as to what constitutes a Restricted Transfer and how the appropriate safeguards should be applied where the relevant parties (especially the data exporting party) are located outside the EU but subject to the EU GDPR.

The development

The EDPB has set out a three-stage test to enable parties to establish whether the intended transfer is a Restricted Transfer:

  • A controller or processor (exporter) must be subject to the GDPR for the given processing.
  • The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller or processor (importer).
  • The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3.

The Guidance also provides 12 examples to help readers understand what does and does not constitute a Restricted Transfer. If there is a Restricted Transfer then, unless a particular derogation or exemption applies, the parties must use one of the appropriate safeguards aimed at protecting the data after it leaves the EEA. These safeguards include seeking to address possible conflicting national laws and government access in the third country, as well as the difficulty to enforce and obtain redress against an entity outside the EU.

Interestingly, the Guidance also recommends safeguards that should be applied where technically no Restricted Transfer takes place, but personal data is still processed outside the EEA (for example, where an employee of an EU controller travels abroad and has access to the data in a third country). The EDPB reminds organisations that they are responsible for their data processing activities regardless of where these take place. As an example, the EDPB notes that, in some circumstances, it may be reasonable for a controller to restrict employees from bringing laptops to certain third countries.

For ease of reference, and to see how useful the 12 examples are, here they are (noting that the Annex to the Guidance analyses each in turn):

  • Example 1: Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR)
  • Example 2: Controller in a third country collects data directly from a data subject in the EU (under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities
  • Example 3: Controller in a third country receives data directly from a data subject in the EU (but not under Article 3(2) GDPR) and uses a processor outside the EU for some processing activities
  • Example 4: Data collected by an EEA platform and then passed to a third country controller
  • Example 5: Controller in the EU sends data to a processor in a third country
  • Example 6: Processor in the EU sends data back to its controller in a third country
  • Example 7: Processor in the EU sends data to a sub-processor in a third country
  • Example 8: Employee of a controller in the EU travels to a third country on a business trip
  • Example 9: A subsidiary (controller) in the EU shares data with its parent company (processor) in a third country
  • Example 10: Processor in the EU sends data back to its controller in a third country
  • Example 11: Remote access to data in the EU by a third country processor acting on behalf of EU controllers
  • Example 12: Controller in the EU uses a processor in the EU subject to third country legislation

Why is this important?

The extra-territoriality provisions of the EU GDPR are far-reaching and, indeed, most multi¬≠national companies are within scope of the EU GDPR in some way. The Guidance, therefore, is helpful in recognising the complex data flows that are typical for such businesses and clarifying which are Restricted Transfers and subject to additional obligations under the law. Businesses should note, however, that their duties do not fall away simply because the data transfer does not fall specifically within the “Restricted Transfer” definition under the GDPR and that they may be required to put in place additional safeguards and processes depending on the country in which the data is being processed. Furthermore, while the Guidance is only binding with respect to the EU GDPR, it is also likely to be instructive in interpreting the UK GDPR.

Any practical tips?

Businesses should assess to what extent the new Guidance would result in their data transfers being re-characterised as either a Restricted Transfer or not. None of the positions by the EDPB in the Guidance are controversial, however, and so it is likely that the Guidance aligns with businesses interpretation of the GDPR transfer restrictions to date. However, particular attention should be paid to the EDPB’s recommendations regarding data processed in a third country that, whilst not a Restricted Transfer, may still be subject to access by national authorities in that country as this may affect businesses’ internal processes and policies.

Summer 2023