New guidelines regarding transfers of personal data to third countries

The European Data Protection Board, EDPB, has adopted a new guideline that clarifies what constitutes, and does not constitute, the transfer of personal data to third countries.

Chapter V ensures protection of personal data, even after it’s been distributed to a third country or an international organisation. The new guidelines are meant to clarify  the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. Meaning, for example, a clarification of what counts as transfers of personal data to third countries, and what does not. The new guidelines are open for public consultation until January 31st 2022.

What is classified as a transfer of personal data?

EDPB has identified three criterias that qualifies processing of personal data as a transfer:

  1.  A controller or processor is subject to the GDPR for the given processing.
  2. The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”). 
  3. The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing.

If all of the criteria above are met, there is a “transfer to a third country or to an international organisation”.

As a consequence, the controller or processor in a “transfer” situation (according to the criteria described above) needs to comply with the conditions of Chapter V and frame the transfer by using the instruments which aim at protecting personal data after they’ve been transferred.

These instruments include the recognition of the existence of an adequate level of protection in the third country or international organisation to which the data is transferred, or the implementation of appropriate safeguards, listed below:

  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (BCRs)
  • Codes of conduct
  • Certification mechanisms
  • Ad hoc contractual clauses
  • International agreements/Administrative arrangements.

Anna Lööv, partner and founder of Kompass Advokat, comments on the proposed guidelines:

 “In practice, the guidelines mean that companies within the EU/EEA can form an understanding of what is actually a third country transfer and what is not. EDPB has created a number of examples that makes it easy to assess different situations.” Says Anna. 

“One example explains that companies outside of the EU/EEA that collect personal data from European customers, do not need to apply the rules on third country transfers. According to another example, it is not a third country transfer when an employee of a company goes on a business trip and gains access to personal data on the company’s platforms when she is outside the EU/EEA.”