The GDPR does not define the activities which qualify as transfer of personal data to a third country. In order to provide clarifications as to the notion of “transfer of personal data to a third country”, the European Data Protection Board (“EDPB”) issued Guidelines 5/2021 on the interplay between the application of Article 3 and Chapter V of the GDPR[1], setting out three cumulative criteria according to which processing would qualify as a “transfer to the third country”:
- the controller or processor is subject to the GDPR for the given processing[2],
- the controller or processor (the “data exporter”) discloses or otherwise makes personal data available to a different controller, joint controller or processor (“data importer”)[3], and
- the importer is in a third country or is an international organisation, regardless of whether or not the GDPR is also applicable to the processing of personal data by the data importer.[4]
It should be noted that entities, which form part of the same corporate group, may qualify as separate controllers or processors and that data disclosures between such entities could be considered as transfers of personal data.[5]
The following examples constitutes “transfers” for the purpose of the GDPR[6]:
- company X established in Luxembourg, acting as controller, gives access to the personal data of its clients to a company Z established in Chile, which processes these data as processor on behalf of X,
- the Luxembourgish Company A, which is a subsidiary of the U.S. parent Company B, discloses personal data of its employees to Company B to be stored in a centralized HR database by the parent company in the U.S. In this case the Luxembourgish Company A processes (and discloses) the data in its capacity of employer and hence as a controller, while the parent company is a processor. In this case, data are provided from a controller which, as regards the processing in question, is subject to the GDPR, to a processor in a third country.
The following examples do not constitute “transfers” for the purpose of the GDPR[7]:
- the personal data are disclosed directly and on their own initiative by the data subject to the recipient. In this case, there is no controller or processor sending or making the data available, i.e. there is no “exporter”,
- an employee travels to a third country and remotely access the personal data processed by the employer. The remote access of personal data from a third country by the employee does not constitute a transfer of personal data, as the employee is an integral part of the controller,
- a controller or a processor located in a third country not subject to the GDPR transmits personal data to a controller or a processor located in Luxembourg.
[1] European Data Protection Board (EDPB), Guidelines 5/2021 of 18 November 2021 on the interplay between the application of Article 3 and the provisions of international transfers as per Chapter V of the GDPR.
[2] See European Data Protection Board (EDPB), Guidelines 3/2018 of 12 November 2019 on the territorial scope of the GDPR (Article 3).
[3] See section 2.2 of the above Guidelines 5/2021.
[4] See section 2.3 of the above Guidelines 5/2021.
[5] See point 16 of the above Guidelines 5/2021.
[6] See point 18 of the above Guidelines 5/2021.
[7] Idem.