Transfer of personal data outside the EU according to new guidelines

27 April 2023

Personal data transfers to third countries are a sensitive topic, in particular after the invalidation of the Privacy Shield in 2020. In late February, the European Data Protection Board (EDPB) issued two sets of guidelines on transfers of personal data to third countries, i.e. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions of international transfers as per Chapter V of the GDPR, and Guidelines 7/2022 on Certification as a tool on transfers.

The first set of guidelines refers to the very concept of transfers of personal data. The EDPB examines when a transfer of personal data takes place, when a controller or a processor outside the EU is subject to the GDPR but there is no transfer of data, and when a processor is not subject to the GDPR at all.

For the record, the GDPR applies to controllers or processors in two cases:

the controller or processor is established in the Union and the processing of personal data is carried out in connection with the operations of that establishment. The processing activities do not have to take place in the Union (Article 3(1) GDPR);
the controller or processor is not established in the Union, but the processing activities are related to the offering of goods or services in the Union or the monitoring of behaviour of data subjects in the Union (Article 3(2) GDPR).

Any transfer of personal data to a third country must comply with general principles for transfers laid down in Chapter V of the GDPR.

The EDPB has specified three cumulative criteria to assess whether a processing operation qualifies as a transfer of personal data to a third country:

A controller or a processor (“exporter”) is subject to the GDPR;
The exporter discloses or makes available personal data to another controller or processor (“importer”); and
The importer is in a third country (or is an international organization), irrespective of whether or not this importer is subject to the GDPR.

The first criterion is met if the exporter is subject to the GDPR under Article 3. The EDPB provides a number of examples for meeting the second and third criteria. The EDPB first recalls that a transfer does not take place if personal data are made available by the data subject himself, e.g. if he books a room in the US using the hotel’s website. The hotel operator is not subject to the GDPR. Similarly, no transfer of personal data takes place where the data subject orders goods from an e-shop whose operator is based, for example, in the US, but the e-shop targets buyers in the EU. Unlike the hotel operator, the e-shop operator would be required to apply the GDPR under Article 3(2). A transfer to a third country would occur if this operator (exporter) used a processor from a third country (importer).

Rules for personal data transfers apply to transmissions of personal data of employees by a subsidiary to its non-EU parent. This is also the case where a company outside the EU uses a processor in the Union. The GDPR does not apply to companies not established in the EU, but it does apply to processors in the EU. Transmissions of personal data back from processors to controllers are considered transfers subject to the GDPR.

No transfer of personal data takes place if an employee on a business trip outside the EU remotely accesses data stored on his employer’s computers in the EU. In the event the employee makes these personal data available to persons during meetings in the country where he is on the business trip, it would qualify as a transfer subject to the GDPR.

A transfer of personal data does not take place if a company established in the EU uses an EU-based company as a processor, which is a subsidiary of a third-country parent company, provided that the personal data are processed in the Union. As the processing entity may be subject to legislation applicable in its parent company’s headquarters, it may receive requests to disclose the processed data to public authorities in that third country. This would then constitute a transfer outside the EU. The EDPB advises that if a processor is engaged that is a subsidiary of a non-EU company, controllers should consider this risk when entering into a processing contract.

The controller should (1) analyse the processing of personal data; (2) determine whether a transfer of personal data to a third country takes place; (3) assess whether the transfer is in compliance with the GDPR; and (4) adopt measures to protect personal data. The controller should assess potential risks arising from transfers of personal data to a third country upon request of public authorities when using a processor established in the EU, but which may be subject to legislation of a third country.

The second set of guidelines refers to certification as evidence of appropriate safeguards for transfers of personal data to third countries pursuant to Article 46(2)(f) GDPR. The certification applies to the recipient of data in a third country, i.e. the data importer, for a single processing operation or a set of operations.

Certification of importers is not, however, a sure guarantee for exporters. The data exporter is obliged to verify whether the certification is effective in light of the intended processing, whether the certification is valid and whether the data transfer falls within the scope of certification. Additionally, the data exporter has to check whether the certification body is accredited by a national accreditation body or a competent supervisory authority.

In some cases, an importer, an exporter or both will have to adopt additional measures implied in the certification mechanism to ensure an equivalent level of personal data protection in comparison with that of the EU.

[1] European Parliament resolution of 20 October 2020 with recommendations to the Commission on a civil liability regime for artificial intelligence. Available >>> here.

[2] Proposal for a directive of the European Parliament and of the Council on adapting non-contractual civil liability rules to artificial intelligence (AI Liability Directive). Available >>> here.

[3] Proposal for a regulation of the European Parliament and of the council laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) and amending certain Union legislative acts. Available >>> here.

[4] Proposal for a directive of the European Parliament and of the Council on liability for defective products. Available >>> here.

Source: epravo.cz.

More news

Cookie name	Type and function	Source	Storage period
SERVERID	Strictly necessary cookie – Ensures that the user uses the same server during a particular visit/session. The cookie sets the infrastructure provider and represents a functional element.	Solidpixels	Session
CMS-(ID)-FE	Strictly necessary cookie - Stores a unique identifier for a given session on the website	Solidpixels	Session
CMS-(ID)-FE-language	Strictly necessary cookie - Stores a unique identifier for the selected language of the website	Solidpixels	1 day
CMS-(ID)-FE-cookies_allow_ac	Strictly necessary cookie - The cookie stores a visitor's consent settings for the collection of analytical data about his/her movement on the website.	Solidpixels	5 years
CMS-(ID)-FE-cookies_allow_mc	Strictly necessary cookie - The cookie stores a visitor's consent settings for the data collection for marketing purposes.	Solidpixels	5 years
CMS-(ID)-FE-cookies_notification	Strictly necessary cookie - Stores information whether the cookie bar has been confirmed in the past.	Solidpixels	5 years

Cookie name	Type and function	Source	Storage period
_ga	Analytical cookie – The cookie is used to distinguish unique/individual users by assigning a randomly generated number as an identifier. It is included in every page request on your website and is used to calculate visitor data, campaign sessions for page analytics reporting.	Google	2 years
_gat	Analytical cookie – A _gat cookie is used to limit analytics requests in order to restrict the requests sent from your browser to Google services. Cookies have several limitations that can cause excessive reporting of the number of users.	Google	1 day
_gid	Analytical cookie – Registers a unique identifier that is used to generate statistical data about how a visitor uses the website.	Google	1 day
_hjlncludedInSample	Analytical cookie – Used for web analysis by HotJar, identifies the visitor during the session	HotJar	Session
_hjid	Analytical cookie – stores a unique identifier of the website visitor	Hot Jar	1 year
_dc_gtm_UA-*	Analytical cookie – Applies when Google Analytics are embedded via Google Tag Manager. It has the same function as _gat.	Google	Session

Cookie name	Type and function	Source	Storage period
_fbp	Marketing cookie – used to track visits across websites	Facebook	3 months
_gcl_au	Marketing cookie – determines advertising effectiveness on the websites visited by a user	Google Adsense	3 months
NID	Marketing cookie – stores a unique identifier that identifies a returning user and is used for advertising targeting	Google	6 months