Data transfer and exporters' tasks: two new Guidelines with clarifications approved

On 14 February, the European Data Protection Board (“EDPB”) has adopted two new Guidelines (number 05/2021 and 07/2022) after the completion of the public consultation process; the Guidelines provide important clarifications in regard to data transfers to third countries. These Guidelines delve into the issues of the interaction between the application of Article 3 and the provisions on international transfers contained in Chapter V of the GDPR, as well as into the use of certification as a secure tool for transferring data outside the European Community.

The approval of the Guidelines marks an important step forward by the EDPB towards insuring a high level of protection in the context of the transfer of personal data to third countries.

For the first time, the EDPB provides a definition of “transfer” – as, admittedly, the GDPR does not provide any – for the purpose of determining the application of the provisions of Chapter V of the GDPR. In doing so, the EDPB indicates that the three minimum requirements for a transfer to occur include:

• The controller or processor (exporter) is subject to the GDPR;

• The exporter transmits the personal data or otherwise makes them available to another controller, joint controller or processor (importer);

• The importer is located in a country outside the EU

Furthermore, the EDPB emphasises the irrelevance of the role of the parties involved (i.e. controller/processor) for the application of the transfer principles and the consequent responsibilities that the transfer entails. This could lead to disruptions in business relations between controller and processor. For instance, a controller established outside the EEA who puts in place a transfer to a processor established within the EU could encounter obstacles returning the data by the processor, if the latter considers that such a return does not meet the requirements of Article 46 GDPR (e.g. if the controller refuses to sign the standard contractual clauses). The Guidelines reiterate the obligation of the exporter to ensure that the transfer takes place in compliance with the provisions of Chapter V of the GDPR.

With respect to certification, the Guidelines reiterate its value as an appropriate tool to ensure the importer's compliance with its obligations under the GDPR. However, the exporter will have to verify that the certification obtained by the importer is valid, has not expired, is correct for the specific type of transfer to be carried out and is effective in light of the law and/or practices of the third country. It is worth emphasising that, for these assessments, the exporter may rely on the certification body's verification of the documentation submitted by the importer, without prejudice to the exporter's burden of ensuring that the certification body is accredited by a competent national accreditation body (or supervisory authority). In case the certification requires the implementation of supplementary measures by the exporter and/or importer in order to ensure an adequate level of protection as required by European legislation, the exporter will also be responsible to verify that those supplementary measures are correctly implemented by the importer (or implementable by exporter itself). Should the verifications show that the level of protection of the personal data is still inadequate, the exporter must request that the importer implements adapted supplementary measures, even indicated by itself.

The EDPB continues to increase the safeguards adopted in the context of international transfers, and has identified exporters as the most suitable actors to achieve this objective. The hope is that steps will be taken to reduce this workload, such as formulas capable of standardising (by importing country) the certification criteria necessary to guarantee adequate security levels.