In November 2021, the European Data Protection Board (EDPB) issued Guidelines clarifying the applicability of the provisions of the General Data Protection Regulation (GDPR) on third country transfers. In this article, we define a third country transfer as it pertains to the GDPR, and we explain why companies that do not have an establishment in the EU but are still bound by the GDPR should take note of the Guidelines.
What rules do companies have to comply with in case of a third country transfer?
For a GDPR-compliant third country transfer, i.e. any transfer of personal data to a country outside the EU or the European Economic Area, a transfer mechanism has to be put in place ensuring that data is also adequately protected outside the EU. In a nutshell, companies can rely on one of the following transfer mechanisms:
- Adequacy decision of the European Commission: If the European Commission adopted a decision granting a specific country adequacy status, transfers to the relevant country can take place without any restrictions,
- Binding corporate rules (BCR): Their practical relevance is limited to big multinational corporations, however, as they not only have to be drafted by the company itself but also approved by the competent supervisory authority,
- Standard contractual clauses (SCCs), which are by far the most commonly used transfer mechanism, or
- Exceptions pursuant to Art. 49 GDPR, which can only be relied upon in exceptional circumstances.
Why did the EDPB issue further Guidelines on third country transfers?
After the decision of the Court of Justice of the European Union in Schrems II, the EDPB issued guidance on third country transfers. However, while the Recommendations 01/2020 provide an assessment of technical, organisational and contractual measures companies can employ to ensure the adequate protection of data being transferred outside the EU, the new Guidelines 05/2021 provide criteria to determine whether a certain processing qualifies as a third country transfer as it pertains to the GDPR.
In practice, there has been no doubt that a transfer of data from a company located in the EU, i.e. subject to the GDPR, to a company outside the EU and not subject to the GDPR constitutes a third country transfer. The majority of third country transfers, such as transfers from an EU controller to a non-EU processor (service provider) fall under this category. On the contrary, no guidance has been available so far with regard to data transfers by/to companies not established in the EU but nonetheless subject to the GDPR by virtue of Art. 3(2) GDPR, i.e. because they offer goods or services to data subjects in the EU or monitor their behaviour. The new EDPB Guidelines, which for now exist merely as a draft still open for public consultation, fill this gap and are hence especially relevant for such non-EU companies.
According to the EDPB, for a certain processing operation to be considered a third country transfer, three conditions have to be fulfilled cumulatively:
- The “initial” controller or processor is subject to the GDPR for the given processing,
- This controller or processor (“exporter”) discloses by transmission or otherwise makes relevant personal data available to another controller, joint controller or processor (“importer”), and
- The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Art. 3(2) GDPR.
First condition: The exporting company is subject to the GDPR
For a processing operation to be considered a third country transfer, the “initial” controller or processor – i.e. the company that intends to transfer data – must first be subject to the GDPR. Due to the extraterritorial scope of the GDPR, this comprises not only all companies established in the EU but also non-EU companies that fall under the applicability of the GDPR pursuant to Art. 3(2) GDPR, as discussed above. What follows is a practical example: A U.S. mobile app developer providing its services to data subjects in the EU and hence being subject to the GDPR will have to comply with the GDPR provisions on third country transfers when employing a processor located outside the EU, even if the processor is also located in the U.S.
Second condition: The exporter discloses the data or otherwise makes it available to another controller or processor
Like the first condition, the second condition has also been largely undisputed in legal practice. Nonetheless, the EDPB Guidelines provide some useful clarifications regarding the second criterion.
In particular, the EDPB underlines that two separate controllers and/or processors have to be involved in a processing operation for it to be considered a third country transfer. Hence, situations where the data subject herself directly and on her own initiative discloses personal data to a non-EU company – e.g. a European traveller booking a hotel room in Brazil – are not considered third country transfers.
Similarly, an employee remotely accessing personal data held by the company she works for while being on a business trip in a third country does not constitute a third country transfer, as the employee is not a separate controller but rather an integral part of the company for which she works.
In both cases, the requirements on third country transfers set forth in Chapter V of the GDPR do not apply. Nonetheless, as underlined by the EDPB, the company might still be required to put appropriate data protection measures in place to comply with other obligations enshrined in the GDPR. As a last resort, the controller may even conclude that such processing cannot take place at all, for example, by prohibiting employees to take their laptops to certain third countries considered particularly risky.
Third condition: The importer is in a third country, irrespective of whether it is subject to the GDPR pursuant to Art. 3(2) GDPR
The third criterion requires that the receiving company (data importer) is geographically in a third country. Hereby, it is irrelevant whether the relevant data processing falls under the GDPR pursuant to Art. 3(2) thereof.
The EDPB reasons that even though the processing at hand is covered by the GDPR, this protection might be undermined by national legislation of the country of the data importer, for example, if the rules on government access to personal data go beyond what is necessary and proportionate in a democratic society. The application of the GDPR rules on third country transfers shall compensate this risk. In the same vein, the EDPB notes that the fact that the importer is already bound by the GDPR has to be taken into account: The application of the rules on third country transfers shall not duplicate the GDPR obligations already in place but merely “fill in the gaps” where necessary.
The practical problem lies in the fact that the SCCs of 2021 – the only set of SCCs currently available and often the only mechanism that comes into question for a specific transfer situation – explicitly state that they may be used merely in cases where the processing by the importer is not already covered by the GDPR.
Currently, companies might often not have an appropriate transfer mechanism for transfers to non-EU companies bound by the GDPR pursuant to Art. 3(2) thereof, as the existing SCCs are not meant to be used in such situations and a dedicated set of SCCs for such transfers does not exist. Indeed, the European Commission announced its intention to develop a specific set of SCCs for transfers to importers subject to Art. 3(2) GDPR (“SCCs lite”). However, it might take years before these become effective. In the meantime, affected companies are facing legal risks in case they want to transfer data abroad, as they will often have no transfer tool available that would fully fit to the intended processing operations.
The new EDPB Guidelines provide for valuable guidance on the notion of a third country transfer pursuant to the GDPR. They are particularly relevant for non-EU companies bound by the GDPR by virtue of its Art. 3(2), as thus far, no comparable guidance has existed.
Unfortunately, the Guidelines did not solve the problems pertaining to transfers to non-EU companies covered by the extraterritorial scope of the GDPR but rather raised additional questions hereto. It remains to be seen whether the EDPB will address these issues in the final version of the Guidelines. Furthermore, it is still unclear when the European Commission will publish a dedicated set of SCCs for transfers to such companies. Please feel free to subscribe to our newsletter to be informed once this occurs.