GDPR and international data transfer: the new guidelines

GDPR regulation and the Guidelines 05/2021

The European Data Protection Board (EDPB), at its plenary session on November 19, 2021, adopted the Guideline 05/2021 on the interplay between the application of Article 3 and the provisions on international data transfer as per Chapter V of the GDPR.

What does GDPR stand for? It stands for General Data Protection Regulation. It is the EU Regulation 2016/679, which aims to strengthen the protection of personal data of EU citizens and EU residents, both within and outside EU borders. It also aim to simplify the regulatory environment affecting international affairs by unifying regulations within the EU.

Guideline 05/2021 clarifies the relationship between the territorial scope of the GDPR (Article 3) and the international data transfer provisions of Chapter V. This should help controllers and processors in the EU to identify whether a processing operation can be considered an international transfer.

In particular, paragraph 2 of the Guidelines specify the three cumulative criteria that qualify a data processing operation as a transfer:

1. The data exporter (data controller or a data processor) is always subject to the rules of the General Data Protection Regulation for the specific processing operation. The data exporter, even if not established within the EU, must mandatorily comply with the provisions in Chapter V when transferring personal data to a third country or organization;
2. The exporter must make personal data available by transmitting it to another data controller or data processor located abroad. The EDPB specifies that the transfer does not exist when the data are communicated directly from the data subject to the recipient as is the case, for example, when filling out an online form;
3. The data importer is located in a third country or is an international organization.

If all three criteria are met then the transfer is effective and the data controller or processor have to comply with the requirements of Chapter V to ensure an adequate level of data protection.

GDPR privacy: when is international data transfer not possible?

The transfer of personal data abroad is not allowed in the following cases:

1. In the absence of an Adequacy Decision of the European Commission (Art. 45) which ensures that a third country (but also a specific territory or area within it) or international organization have an adequate level of protection to allow the transfer;
2. The importer does not adhere to codes of conduct or certification;
3. There are no binding corporate rules (BCR);
4. There are no specific Standard Contractual Clauses (SCC) between the exporter controller or processor and the controller or processor of personal data in the third country or international organization;
5. International agreements and mechanisms provided by public authorities to list enforceable rights and make them actionable by data subjects are invalid.