Chapter V of the General Data Protection Act (GDPR) regulates transfers of personal data from entities located in the European Union to entities outside the EU. This chapter provides an exhaustive list of transfer mechanisms, including Standard Contractual Clauses (SCC) approved by the European Union. Along with this, the Court of Justice of the European Union (CJEU) stated that ‘parties transferring data abroad may also need to incorporate supplementary measures to ensure an adequate level of data protection in a particular nation. Article 3 of the GDPR describes the geographic scope of the GDPR and provides that GDPR may apply directly to entities outside the EU that are processing personal data of the EU residents.
By clarifying the interplay between the territorial scope of GDPR and the provisions of Chapter V, the guidelines launched by EDPB aim to assist controllers and processors in the EU. These guidelines specify three criterias that qualify processing as a transfer. These are:
- The data exporter (a controller or processor) is subject to the GDPR for the given processing.
- The data exporter sends or makes personal data available to the data importer (another controller, joint controller, or processor)
- The data importer is in a third country or is an international organisation.
EDPB Chair Andrea Jelinek added: “These Guidelines provide a consistent interpretation of the concept of “international transfers” and clarify that, when a data importer is subject to the GDPR, the obligations under Chapter V of the GDPR apply both to the transfer from the EU to the importer and to any further transfer that the importer undertakes.”
Thus, these guidelines can be a new rising era for data transfers and will be subject to public consultation until the end of January 2022.
(Legal Content Writer, WCSF)