The European Data Protection Board has issued draft guidelines on the interplay between Art 3.2 and Chapter V of GDPR. And they also have finally defined the term “transfer.”
Here are some key takeaways:
- You must comply with the provisions of Chapter V GDPR, including the Schrems II assessment and supplemental measures, even when the recipient is subject to GDPR under Art 3.2.
- Regardless of whether the processing takes place in the EU or not, controllers and processors always have to comply with all relevant provisions of the GDPR, such as Article 32.
- When a controller or processor who is subject to GDPR (seemingly even if outside the EU themselves) sends personal data or makes it available to a non EU recipient, even if such recipient is subject to GDPR under Art 3.2, this constitutes a transfer for the purpose of Chapter V.
- If an individual in the EU, directly and on his/her own initiative sends personal data to a non EU recipient, wait for it, THIS. IS. NOT A. TRANSFER.
- A transfer may occur where a processor sends data to another processor or even to a controller as instructed by its controller. (eg in the so called ‘reverse transfers.’)
- In order to qualify as a transfer, there must be a controller or processor disclosing the data (the exporter) and a different controller or processor receiving or being given access to the data (the importer).
- Remote access by an employee of a company when traveling is not a transfer.
- Data disclosures between entities belonging to the same corporate group (intra-group data disclosures) may constitute transfer of personal data.
- Although a certain data flow may not qualify as a “transfer” to a third country in accordance with Chapter V of the GDPR, a controller is nonetheless accountable for all processing that it controls, regardless of where it takes place, and data processing in third countries may involve risks (for example, due to conflicting national laws or government access in a third country, as well as difficulties to enforce and obtain redress against entities outside the EU), which need to be identified and handled (mitigated or eliminated, depending on the circumstances) in order for such processing to be lawful under the GDPR.
- Controllers should, in accordance with their Art 32 obligations, decide whether the non-EU processing is possible.
- A new transfer method should be developed which needs to account for the fact that the recipient is already subject to GDPR and therefore include fewer obligations in order not to duplicate the GDPR obligations. Rather, the tool should address the elements and principles that are “missing” and, thus, needed to fill the gaps relating to conflicting national laws and government access in the third country as well as the difficulty to enforce and obtain redress against an entity outside the EU.