EDPB provides much needed guidance on what is a ‘transfer’
New guidelines clarify the interplay between the territorial scope and the provisions on international transfers in the GDPR. By Anthi Pesmazoglou of Gerrish Legal.
On 18 November 2021, the European Data Protection Board (EDPB) adopted Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. The guidelines were open to public consultation which closed on 31 of January. These will not be legally binding for businesses but once adopted will establish new standards for cross-border transfers.
Although the GDPR, in its Article 44, addresses transfers of personal data to third countries and international organisations, and the export and import of personal data in and outside of the European Economic Area forms a significant part of cross-border contract negotiations, there is no legal definition of what is considered a “transfer”. Looking into the previous Data Protection Directive(1) and case law including Court of Justice of the European Union (CJEU) decisions such as the Bodil Lindqvist case(2) , such sources only add to the confusion around the issue in question. Indeed, in the recent decisions handed down by the CJEU in the Schrems saga, the court offered little insight into the definition of cross-border transfers in both its Schrems I(3) or Schrems II(4) decisions. The CJEU decisions nevertheless have added a significant focus on international transfers, their compliance and the use of data transfer tools such as the Standard Contractual Clauses (SCCs) which constitute arguably the only available and viable transfer mechanism to a third country for which an adequacy decision has not been granted by the European Commission.
International Report subscribers please login to access the full article.
If you wish to subscribe please see our subscription information.