In a post-Schrems era, understanding what constitutes a transfer of personal data is not a trivial question. Data flows which do not amount to a data transfer under the meaning of Chapter V of the GDPR will not be subject to restrictions, including those deriving from Schrems.
The EDPB guidance published last week for consultation (available here) seeks to shed some light on this matter.
In a nutshell, for an international data transfer (in the GDPR sense) to take place, three conditions must apply:
1. The exporting controller or processor must be subject to the GDPR (regardless of whether it is located in the EU or not).
2. There must be an 'exporter' and an 'importer'. The exporter (whether a controller or processor) must disclose personal data to another controller / joint controller or processor (the importer).
- This condition will not be fulfilled where the data is collected directly by the controller/processor outside the EU and on the initiative of the individual. In this context, recipients of personal data "sent" by those EU individuals in the third country will not be 'importers' under Chapter V GDPR even though they may be subject to the GDPR under Article 3.2, for example, if it offers products and services to the individual in the EU. When explaining this scenario, the EDPB anticipates that the third country data recipient has "no presence in the EU". This begs the question as to whether the presence of a subsidiary in the EU would alter this assessment (whether or not involved in that particular transaction/service); it ought not to (the individual her or his-self is knowingly sending data out of the EU) but the document is not clear.
- Mere access from a third country will not always amount to a transfer in the meaning of Chapter V GDPR. The transfer must be from a controller / processor to another. So, remote access to EU data by a travelling employee from outside of the EEA will not qualify as a transfer.
3. The importer must be in a third country outside of the EEA (or be an international organisation) regardless of whether it is itself subject to the GDPR.
Lastly, as readers may know, the recently adopted SCCs [see our blog] may not be suitable for use when an exporter is sending data to an entity in a third country which is already subject to GDPR (see our blog under the heading "What about transfers to importers that are already subject to the GDPR?"). A new data transfer tool for this scenario will be needed. In this draft guidance, the EDPB give us a glimpse of what that should look like. In particular, it should not duplicate the GDPR obligations but only provide the missing elements (e.g. legally binding data disclosure requests). What this looks like, we should understand better in 2022 (if and) when such new standard contractual clauses are issued by the EU Commission.
What does this mean in practice?
Some organisations may benefit from the lifting of the data transfer restrictions, in particular, those already subject to the GDPR and those collecting data directly from the individual. How broadly such 'reprieve' will apply remains to be seen as the document is still in draft form and there are areas where further guidance would be welcome. For instance:
- Can data collected automatically (for instance, via cookies) be considered as data obtained 'directly' and 'on the initiative' of the EU based individual?
- Would a non-EEA importer be able to benefit from the more flexible interpretation of the concept of transfer if it has a presence (e.g. subsidiaries) in the EU, where such subsidiaries are not involved in the data flows?
- Would non-EEA importers only benefit from the 'light' SCCs if they are subject to the GDPR in relation to the personal data subject to transfer?
- In the case of the employee travelling outside of the EEA, would we reach the same conclusion where the employee is based permanently outside of the EEA?
Sign up to our email digest