On 19 November 2021, the European Data Protection Board (`EDPB`) adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR, aiming to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.
In doing so, it identifies three cumulative criteria that qualify a processing as a transfer:
(1) the data exporter (a controller or processor) is subject to the GDPR for the given processing;
(2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor);
(3) the data importer is in a third country or is an international organization.
The guidelines further clarify each of these criteria. For example, the EDPB emphasizes that the processing will be considered a transfer even if the importer is already subject to the GDPR under Art. 3 GDPR. However, if the controller in a third country collects data directly from a data subject in the EU at their own initiative, it does not constitute a transfer.
The Guidelines will be subject to public consultation until the end of January.
During the same plenary session, the EDPB adopted a Statement on the European Commission’s Digital Services Package and Data Strategy and it nominated two representatives from the Belgian and Hessen (DE) SA to take part in the 6th Joint Review of the EU-US Terrorist Finance Tracking Program (TFTP) Agreement.
The press release is available here.