Within the framework of the European Data Protection Regulation (GDPR), it is always crucial for any controller or processor to identify data transfers to third countries or international organisations. Until now, there was an uncertainty what exactly constitutes a such a transfer.
The European Data Protection Board (EDPB) has issued a new guideline on the transfer of personal data to third party countries or international organisations dated 18 November 2021. This guideline is open for public consultation.
This guideline gives guidance on what exactly constitutes a transfer of personal data to a third country or international organisations. This guidance brings much need clarification for international companies when assessing their international data transfer. Consequently the need for implementing supplementing measures according to article 46 GDPR arises.
2. Transfer to third countries
The EDPB has defined an international transfer as follows:
2.1 Controller or processor is subject to the GDPR
First, the controller or processor has to be subject to the GDPR. It must be noted that that also entails controller or processor outside the EU/EEA subject to the GDPR. Consequently, this encompasses also Swiss companies subject to the GDPR according to article 3 GDPR.
2.2. Disclosing personal data by transmission or otherwise
The second requirement states that a controller or processor must disclose or make available personal data to a controller, joint controller or processor. This clarifies that not only a controller is responsible for implementing appropriate measures when transferring personal data to a third country, but also the processor.
The Guideline further clarifies that two different parties have to be involved in such a transfer in order to qualify as relevant transfer of personal data. For example, an employee of a processor accessing his/her data from a third country on a business trip is not considered a transfer of personal data to a third country within the meaning of article 46 GDRP. However, data security measures for such an access must be in place.
2.3 Importer is in a third country or is an international organisation
The third requirement is that the controller, joint controller or processor is located in a third country or an international organisation. It is important to state for the application of article 46 GDPR it is not relevant whether the receiving party is subject to the GDPR.
If all three criteria are met, the transferring party must assess, if the third country is deemed adequate according to the EU Commission. The following countries have deemed to have an adequate level of data protection at the moment: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand and Switzerland.
If personal data is transferred or being made available in any other country then the transferring party has to ensure that there are appropriate safeguards according to article 46 GDPR. These measures include:
These measures have to be implemented, if the two parties exchanging data are located in the same third country, provided the transferring party is subject to the GDPR.
For Swiss controllers or processors that are subject to the GDPR that transfer data within Switzerland nothing changes as long as the EU Commission deems Switzerland to have adequate level of protection.
If, however, they transfer personal data to another third country additional measures according to Art. 46 GDPR may be necessary.