On 18 November the European Data Protection Board (EDPB) published Guidelines on the Interplay between the application of Article 3 (territorial scope) and the provisions on international transfers under Chapter V of the GDPR.
Essentially, in order to qualify as a transfer under the GDPR:
- The data exporter must be a controller or processor that is subject to the GDPR for the relevant processing activity (i.e. caught by GDPR's territorial scope under Art.3);
- The data exporter must be disclosing (whether by transmission or otherwise making available) personal data to another controller/joint controller/processor/sub-processor as data importer; and
- The data importer must be in a third country. The fact that the data importer may be directly subject to the GDPR does not exempt such disclosure from qualifying as a transfer under the GDPR and therefore triggering the application of Chapter V.
Some other key points:
- Companies that form part of the same corporate group may qualify as separate controllers or processors. As a result, a disclosure of personal data from one company to another company in the same corporate group may constitute a transfer.
- Personal data accessed remotely by a company's employee while visiting a third country is not a transfer, because the employee is not a separate controller or processor, but an integral part of the company.
- Personal data disclosed directly by a data subject to a controller in a third country (and subject to the GDPR for the processing activity) is not a transfer. Here, the data subject is not a controller or processor sending or making the data available.
- Although such direct disclosures by a data subject is not considered a transfer, it can still be associated with risks due to the location of the controller in a third country (e.g. public authority access, lack of redress)
- In these circumstances, such controller is still accountable for its processing activities and must comply with its wider GDPR obligations (e.g. security, breach notification, privacy impact assessments).
- A controller may therefore conclude that extensive security measures are required or even that it would not be lawful to conduct or proceed with a specific processing activity in a third country despite there being no GDPR transfer situation.
While these guidelines have been issued by the EDPB, they are extremely important to all UK organisations that process the personal data of individuals in the EEA and are therefore caught by the GDPR's territorial scope. It can also help UK organisations interpret the rules on international data transfers under the UK GDPR until such time further guidance is issued by the Information Commissioner's Office.
If you need advice on whether your data sharing or processing activities constitute a transfer and, if so, what safeguards are needed to make the transfer lawful, please contact one of our privacy specialists.