The European Data Protection Board provides further insight on the interplay between GDPR Article 3 and Chapter V's provisions on international transfers. It clarifies GDPR (General Data Protection Regulation) data transfers outside the EU.
The provisions of Chapter V protect personal data if there is a transfer to a third country. On EU territory GDPR offer a high-level of protection for personal data. When there is transfer to entities outside the EU, the legal framework existent within the Union no longer applies.
Therefore, in the guidance, the EDPB argues that it is necessary to ensure protection of the transfer of data in other ways. One of them is the use of the transfer tools from Article 46 GDPR. That's necessary to assess whether the organizations should use supplementary measures to bring the level of protection to the EU standard.
This also applies in circumstances when the processing falls under the GDPR Article 3.
How to determine whether a processing is a transfer to third country or not?
There is currently no official definition of "personal data transmission to a foreign country or to an international organization." As a result, the EDPB makes another attempt to explain this topic.
The EDPB defines three conditions for a processing to be classified as a transfer. The guidance also includes a set of examples for each of the criteria to help clarify them.
The first condition is that the processing in question complies with Article 3 standards. Non-EU controllers and processors may be subject to the GDPR under Article 3(2) for a specific processing. As a result, they will have to comply with Chapter V when transferring personal data to a third country.
The second condition necessitates a controller or processor disclosing personal data "via transmission" to a distinct controller or processor.
According to the EDPB, this second condition cannot exist if the data subject discloses the information to the recipient on his/her own initiative. There is no controller or processor exporting or making data available in this situation.
The concept of international data transfer, according to Example 5, only applies to disclosures of personal data between two separate entities. Only disclosures of personal data between two distinct and separate entities are international data transfers. Entities that are part of the same corporate group, on the other hand, may be independent controllers or processors. As a result, data disclosures between companies within the same corporate group may be personal data transfers.
Thirdly, if the other controller or processor is in a third country, the disclosure of data is a transfer. As a result, Chapter V applies.
Conclusions
During a Linkedin live between EDPB Secretariat Head Isabelle Vereecken, and IAPP Vice President Caitlin Fennessy, Vereecken stated that the goal of the guidance is to provide more clarity on the topic.
Until the end of January, the guidance will be open for public comments. According to Vereecken, new transfer tools should be developed as a result of this guidance. The European Commission has already committed to developing a new SCC for transfers.
"There was a particular recital in the decision that was discussed with the European Commission providing that the SCCs could not be used by non-EU data importers that are already subject to the GDPR due to the external application of Article 3(2)," Vereecken said. "Many questions arose to understand the inclusion of this exemption. Was it because it was needed or because it wasn't a transfer?"
Source: https://edpb.europa.eu/system/files/2021-11/edpb_guidelinesinterplaychapterv_article3_adopted_en.pdf
Last updated: December 3, 2021