On 14 February 2023, the European Data Protection Board (“EDPB”) published the updated and final version of its Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (EDPB Guidelines 05/2021). In comparison to the first version of the guidelines published in 2021, the core messages of the paper remain the same. The EDPB sets out three essential criteria for qualifying a processing of personal data as a transfer to a third country. In the update to its guidelines, the EDPB now specifies these requirements in more concrete terms.
Transfer to a third country
Since the GDPR itself does not provide for a definition of the term “transfer of personal data to a third country or to an international organisation” and case law only exists to a limited extent in this regard, the EDPB elaborates three cumulative criteria to qualify a processing operation as a transfer:
- the controller/processor (“exporter”) is subject to the GDPR for the given processing,
- the exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”), and
- the importer is located in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Art 3 GDPR or is an international organisation.
If one of these criteria is not met, the respective processing activity cannot be considered a transfer within the meaning of the GDPR.
Even if in such cases the provisions of Chapter V of the GDPR do not apply, the EDPB expressly points out that the controller must nevertheless comply with the other provisions of the GDPR and remains fully accountable for its processing activities, regardless of where they take place as they may be associated with certain risks if they take place outside of the EU (e.g. where an employee of an EU controller travels abroad and has access to the data of that controller while being in a third country). This risk may perhaps arise from conflicting national law or disproportionate access rights for the authorities of the third country. A controller must take these risks into account accordingly when initiating a transmission of personal data and take appropriate data security measures.
In this regard, the Committee of Independent German Federal and State Data Protection Supervisory Authorities (Datenschutzkonferenz – “DSK“) – a board consisting of the federal and state data protection supervisory authorities dealing with and commenting on current data protection issues in Germany stated in its resolution from 31 January 2023 on the assessment of access possibilities to personal data for public authorities of third countries under current data protection law (DSK-resolution of January 31, 2023), that the mere risk that public authorities of third countries might request a transmission of personal data to the third country is not sufficient to assume a transfer of data within the meaning of Art. 44 et seqq. GDPR per se.
Both the EDPB and the DSK provide examples of security measures to be taken in such cases. These include, among other things, the implementation of appropriate technical and organizational measures as well as a detailed examination of the law of the third country, any assurances given by the contractual partner and the possibility of complying with them, and the assessment of other risks associated with the transmission.
Specification of the criteria
The EDPB now specifies the above criteria in its second version of the Guidelines 05/2021. For this purpose, the EDPB also elaborates extensive examples of application, which illustrate the interplay between Art. 3 GDPR and Chapter V of the GDPR.
Of particular relevance is the clarification that it is sufficient for making available personal data (criterion 2) if, for example, personal data is accessed remotely from a third country or is stored in a cloud outside the European Economic Area (EEA), and the other criteria are met as well. However, if the data processing is of solely internal nature to the controller, i.e. when the data is not being transferred to another controller or a processor and therefore does not leave the organizational structure of the controller, personal data is not “made available” to another controller/processor. This is illustrated in the example 8.1 in the Guidelines 05/2021.
The twelfth and last example elaborated by the EDPB is also of high importance to the data protection practice. In this scenario, a controller based in the EU engages a processor who is also based in the EU but is a subsidiary of a company based in a third country. Understandably, the EDPB does not consider the transfer of personal data by the controller to the processor as a third country transfer. However, this constellation becomes problematic in cases where the processor, in its function as a subsidiary, is also subject to the laws of the third country in which the parent company is located with extraterritorial effect. This may result in authorities of the third country requesting that the personal data processed by the processor on behalf of the controller is being transmitted to the respective authority in accordance with applicable local law of the third country. If the processor complies with this and transmits the data to authorities in the third country, the EDPB considers this to be a third country transfer. If the controller has prohibited such a transfer in the data processing agreement, the processor acts contrary to the instructions of the controller and is itself considered to be the controller for this processing operation pursuant to Art 28 (10) GDPR. The controller is obliged to check in advance whether the commissioned processors are subject to such access rights of third country authorities and, if necessary, to take appropriate technical and organizational measures to ensure that the processing is also carried out in accordance with the provisions of Chapter V of the GDPR.
The legally non-binding Guidelines 05/2021 of the EDPB are to be welcomed insofar as they show in a comprehensible and easy-to-use manner in which constellations a third country transfer is to be assumed within the meaning of the GDPR, in particular taking into account the regulations on the territorial scope of application according to Art 3 GDPR. In addition, they illustrate that there may nevertheless be risks of violations of the GDPR by data controllers in cases in which a data flow to a third country does not qualify as a third country transfer. This constitutes in our opinion a rather abstract risk and shall not lead to equal risk assessment obligations for a controller as for actual third country transfers. However, given the complexity and multi-layered nature of the possible constellations of processing operations, companies are well advised to carefully examine the extent to which personal data is transferred to a third country when involving additional controllers or processors in order to consider and implement appropriate security measures and avoid potential fines. Finally, it is pleasing to note the EDPB’s clarification regarding the fact that the transfer of personal data by a processor based in the EU to an authority in a third country may be contrary to instructions and will, if so, qualify the processor itself a controller under Art. 28 (10) of the GDPR.
More on how to deal with third country transfers and detailed information on DLA Piper’s legal tech tool “Transfer” can be found here.