International data transfer: the EPDB updates its guidelines

The European Data Protection Board (EPDB) updated guidelines 05/2021 on extra-UE personal data transfer. The new guidelines, issued on the 14th of February 2023, include many practical examples to guide operators in the GDPR application.

The Concept of International Data Transfer

The EDPB recalls that GDPR does not provide a legal definition of “transfer of personal data to a third country or to an international organization”. Therefore, these guidelines identify the criteria qualifying a processing operation as “transfer”.

In particular, the confirmation of the approach of the previous guidelines means that there is an international data transfer, with consequent application of Chapter V of the GDPR, if the following three circumstances occur:

  • A controller or a processor (“exporter”) is subject to the GDPR for the given processing.
  • The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
  • The importer is in a third country, regardless of whether or not this importer is subject to the GDPR.

Examples: remote access to data

The EDPB helps operators, through many examples and illustrations, decline three criteria in different practical contexts.

Compared to criteria no.2, it is specified that personal data could be “made available” by creating an account, by embedding a hard drive, by submitting an access password to a file or by accepting the remote access to data. It is moreover clarified that, in case of remote access to data from a third country, there could be a transfer even if data are only displayed on a screen (for example to provide assistance or troubleshooting services).

On the contrary, there is not a “transfer” if the data processing is carried out outside the European Union by the same controller or processor, without sharing data with other subjects: it is the case of an employee located in the EU who goes abroad for work and access data remotely while he/she is in a third country.

Risks assessment

Lastly, the EDPB recalls that the controller of the processing is responsible of their activities regardless of where they take place. This means that even when there is not an extra-EU data transfer, it is still mandatory to carefully take into consideration the possible risks connected to the specific processing.

Consequently, the employee who access data remotely while he/she is in a third country, does not carry out a data “transfer”, because he/she does not “make them available” to other subjects. Nevertheless, it is still responsibility of the controller to take into consideration the legal framework of the third country and the circumstances which could affect his/her ability to comply with the GDPR.

As a matter of fact, even if data is not being transferred to a third country, the processing operation carried out outside the EU (as the remote access) could however entail higher risks due to, for example, national laws in contrast with the GDPR or the possibility, for the third country authorities, to access data without respecting the GDPR provisions.

Ilaria Feriti