New EDPB Guidance on International Data Transfers

Written by: Alyssa J. Feliciano, Esq.

The European Data Protection Board (“EDPB”) released new guidelines in November to clarify when a processing operation should be classified as an international data transfer based upon Article 3 and Chapter V of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). The guidelines are intended to create a unified understanding of international data transfers for controllers and processors in the EU. The EDPB defined a transfer as personal data that moves from an organization that is regulated by the GDPR to a separate organization outside of the EU.

Three Criteria that Constitute International Data Transfers

1. 1. 1. A controller or a processor is subject to the GDPR for the given processing.
      2. This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
      3. The importer is in a third country or is an international organization, irrespective of whether this importer is subject to the GDPR in respect of the given processing in accordance with Article 3.

Notwithstanding the applicability of GDPR Article 3 to the third country importer, the processing is deemed a transfer. Any data that is derived directly from data subjects voluntarily in the EU is not regarded as a transfer by the EDPB.

To comply with GDPR Chapter V, the controller or processor transferring the data must use one of the instruments referenced under the GDPR. Examples of the main transfer instruments used include:

1. 1. 1. Standard Contractual Clauses (SCCs).
      2. Binding Corporate Rules (BCRs).
      3. Codes of conduct.
      4. Certification mechanisms.
      5. Ad hoc contractual clauses.
      6. International agreements/Administrative arrangements.

Comments on these guidelines are being accepted through January 31, 2022.