What constitutes a data transfer under the GDPR?

It has been a turbulent time in the world of transfers, with organisations having to grapple with the consequences of the Schrems II decision, the supplementary measures they now need to take when using Standard Contractual Clauses (SCCS) following the publication of the European Data Protection Board’s (EDPB) recommendations, as well as the issuance by the European Commission of the latest version of the SCCs.

In the latest chapter of this saga, on 18 November 2021 the European Data Protection Board published new draft guidelines, aiming to clarify the circumstances under which a processing of personal data constitutes a transfer to a third country (i.e. a country outside the European Economic Area (EEA)) or to an international organisation. Where such a transfer takes place, an organisation then needs to comply with the transfer requirements under Chapter V of the General Data Protection Regulation (GDPR) (i.e. transfer in the context of an adequacy decision or the implementation of SSCs, Binding Corporate Rules, Codes of Conduct etc.). The draft guidelines are currently subject to a public consultation that ends on 31 January 2022. 

What is a transfer? 

The EDPB has identified three cumulative criteria that qualify a processing as a transfer: 

1. A controller or a processor must be subject to the GDPR for the given processing.  
   
   This does not only capture organisations established in the EEA but also includes organisations which, by virtue of the activities they undertake or the individuals they target, fall within the scope of the GDPR. In practice this means that, where organisations are established in a third country but are subject to the GDPR pursuant to the extraterritoriality provisions of Article 3, they must ensure that any data disclosed to other third parties within the same country or transferred to parties in another third country or international organisation complies with one of the transfer mechanisms set out in Chapter V of the GDPR.
   
   
2. An “exporter” must transmit or otherwise make personal data available to an “importer”.
   
   The EDPB clarified that this is not fulfilled when: 
   1. Individuals (in the course of their personal activities), on their own initiative, disclose their data directly to an organisation outside the EEA.  The term “on their own initiative” seems to cover situations where individuals, of their own accord, complete online forms or make a purchase from an online store established in a third country. It is less clear whether this will also cover situations where an individual consents to the use of tracking cookies or other technologies collecting personal data. This also brings into question how non-EU companies will choose to obtain personal data from the EU from now on, given that collecting them directly from the data subject, rather than through an EU-based subsidiary, may mean that they will find less roadblocks along the way. 
      
   2. The parties between which the disclosure takes place are not separate. Employees on business trips to third countries who carry their laptops and remotely access personal data of their organisation would not be considered to be transferring data, since employees are not separate controllers but integral parts of their organisation. On the other hand, the EDPB stated that entities within the same corporate group “may” qualify as separate controllers or processors without however providing any examples of circumstances where such disclosures would not constitute a transfer.
       
3. The “importer” is in a third country outside the EEA (or is an international organisation). 
   
   This means that the importer must be geographically located in a country outside the EEA, regardless of whether or not it may fall under the territorial scope of the GDPR.
   
   The EDPB underlines that where the organisation located in a third country is subject to the GDPR, there still needs to be a transfer mechanism in place. Interestingly, it admits that the current SCCs are not suitable for such situations as they partly duplicate the requirements of the GDPR. A “lighter” version would thus need to be created to cover these situations, with organisations falling within this category being left without a clear solution in the meantime. The EDPB does offer to help in the development of new SCCS which would address this gap without however giving any indication of when such SCCs would be released.