News about EDPB’s Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR

 

Transfer of personal data continues to be a hot and important topic for both business and regulators. In this context, on 14 February 2023 the European Data Protection Board issued an updated version 2 of Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (the “Guidelines”). The goal of the updated Guidelines is to bring clarity on the interpretation of the term “transfer of personal data to a third country or to an international organization” (a “transfer”) as the GDPR does not expressly define this term.

Pursuant to the Guidelines, to have a transfer, all the following elements must be complete in respect of a processing operation:

     1) A controller or a processor (“exporter”) is subject to the GDPR for the given processing.

     2) The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint     controller, or processor (“importer”).

    3) The importer is in a third country, irrespective of whether this importer is subject to the GDPR for the given processing in accordance with   Article 3 of the GDPR or is an international organisation.

If the three criteria are met, there is a transfer and Chapter V of the GDPR applies. This means that the transfer is permissible based on and in the context either of an adequacy decision (Article 45), or provided appropriate safeguards (Article 46), or an express derogation for a specific situation (Article 49).

If the three criteria are not met, there is no transfer and Chapter V of the GDPR does not apply. Nonetheless, the principles of lawfulness, fairness, minimisation of data, etc., and other requirements of the GDPR continue to apply to the relevant processing. To be compliant and, respectively, permissible, such processing, notwithstanding it does not constitute a transfer, must follow the GDPR principles and rules (other than those related to a transfer).

The added value of the updated Guidelines comes from the practical guidance they provide on the highly debatable matter of transfers. Various examples and actual scenarios of data flows to third countries set forth in an annex illustrate the notion of “transfer”.