The European Data Protection Board (EDPB) published draft guidelines on the interplay between Article 3, which sets out the territorial scope of the GDPR, and Chapter V, which regulates the transfer of data outside the EU. The draft guidelines clarify when the processing of data will be considered “transfer of personal data to a third country or to an international organization” and therefore be subject to the provisions of Chapter V of the GDPR.
The draft guidelines set out three cumulative criteria that qualify a processing activity as a transfer:
- A controller or a processor is subject to the GDPR for the purpose of that certain processing;
- The exporter of data (whether it is the controller or the processor) discloses it or makes it available to another controller, joint controller, or processor (i.e., the data importer); and
- The data importer is in a third country or is an international organization (whether subject to the GDPR, or not).
The draft guidelines clarify that, unlike the transfer of data from an EU controller to a third-country processor, or the transfer of data from an EU processor to a third-country sub-processor – the collection of data by a third-country controller directly from an EU resident, does not constitute a transfer that is subject to Chapter V. This is because the data is transferred directly by the data subject to the third-country controller and no other entity is involved in the transfer as an exporter.
Furthermore, the draft guidelines note that the application of the safeguards described in Article 46 of the GDPR needs to be adjusted to the specific circumstances. For example, where a third-country importer is already subject to GDPR under Article 3(2), this should be taken into consideration when creating the transfer tools – the transfer tools should not duplicate the importer’s existing obligations, but rather only add the missing elements and principles.