The EDPB issued Guidelines on the Interplay between Art. 3 and Chapter V GDPR during its plenary session. The Guidelines aim to assist controllers and processors in the EU in determining whether a processing operation constitutes an international transfer and to provide a common understanding of the concept of international transfers by clarifying the interplay between the GDPR’s territorial scope (Article 3) and the provisions on international transfers in Chapter V.
The Guidelines list three requirements that must be met in order for a processing to be classified as a transfer:
(1) For the processing in question, the data exporter (a controller or processor) is subject to the GDPR;
(2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller, or processor);
(3) the data importer is located in a third country or is an international organisation.
Regardless of whether the importer established in a third country is already subject to the GDPR under Art. 3 GDPR, the processing shall be considered a transfer. The EDPB, on the other hand, believes that data collected directly from EU data subjects on their own volition does not constitute a transfer.
“These Guidelines provide a consistent interpretation of the concept of “international transfers” and clarify that, when a data importer is subject to the GDPR, the obligations under Chapter V GDPR apply both to the transfer from the EU to the importer and to any subsequent transfer undertaken by the importer,” said EDPB Chair Andrea Jelinek.
The European Digital Services Package and Data Strategy were adopted by the EDPB in a statement. The EDPB notes three categories of broad concerns in the statement about the Commission proposals so far (the Data Governance Act (DGA), Digital Services Act (DSA), Digital Markets Act (DMA), and the AI Regulation (AIR)):
1) Individuals’ fundamental rights and liberties are not adequately protected;
2) Inconsistent supervision;
3) The dangers of inconsistency
The first criterion requires that there is:
a) a controller or processor “exporting” personal data
b) The controller or processor is subject to the GDPR for the given processing. There is, therefore, no transfer of personal data are disclosed directly and on their own initiative by data subjects in the EU to a controller or processor outside of the EU. Controllers and processors not established in the EU but subject to the GDPR per Article 3(2) (e.g., because they offer goods or services to individuals in the EU or monitor their behavior) must also comply with Chapter V GDPR when transferring the personal data to a third country or to an international organization. The draft guidance further emphasizes that a processor established in the EU and processing personal data for a controller that is not established in the EU, must comply with Chapter V GDPR when transferring the personal data back to the controller outside of the EU.
The second criterion requires that the personal data are transmitted or otherwise made available from a controller or processor to another controller, joint controller or processor outside of the EU. Therefore, there can only be a transfer if at least two different (separate) parties (each of them a controller, joint controller or processor) are involved. If the data exporter and importer are not different controllers/processors – i.e., if the data are processed within the same controller/processor – there is no transfer under the GDPR.
If the transfer criteria are met, the controller or processor “exporting” the data must ensure compliance with Chapter V GDPR by using one of the instruments listed in the GDPR and aimed at protecting personal data after they have been transferred to a third country or an international organization. These instruments include:
- The recognition of the existence of an adequate level of protection in the third country or international organization to which the data are transferred (Article 45 GDPR);
- In the absence of such adequate level of protection, the implementation of one of the appropriate safeguards as provided for in Article 46 GDPR; or
- In the absence of an adequacy decision (Article 45) or an appropriate safeguard per Article 46, one of the derogations in Article 49 GDPR.
The EDPB found it important to highlight in its draft guidance that the content of Article 46-type of safeguards for international transfers needs to be customized depending on the situation. For example, new transfer tools (e.g., SCCs) dealing with the Article 3(2) GDPR scenario – which the European Commission is reportedly in the process of preparing – should not merely duplicate the GDPR obligations that already apply. Instead, they should focus on the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU.
The EDPB and EDPS have already released joint opinions on the DGA and the AIR, while the EDPS has already issued opinions on the European Data Strategy, the DMA, and the DSA. The EDPB reiterates its call for a ban on any use of AI for automated recognition of human features in publicly accessible spaces, and urges the co-legislator to consider a phase-out that would lead to a prohibition of targeted advertising based on pervasive tracking, as well as the profiling of children.
The EDPB further emphasises the dangers of parallel supervision structures and strongly advises that each proposal include an explicit legislative basis for successful cooperation and information exchange between the appropriate supervisory bodies and the data protection authorities.
Furthermore, the EDPB urges the Commission and the co-legislator to ensure that the proposals clearly state that they will not affect or undermine the application of existing data protection rules, and that these rules will take precedence whenever personal data is processed, including in the context of the upcoming Data Act proposal.
Finally, the EDPB nominated two Belgian and Hessen (DE) SA officials to participate in the EU-US Terrorist Finance Tracking Program (TFTP) Agreement’s 6th Joint Review.
