EN
Technology

New guidelines clarify when processing is an international data transfer

logo
Legal news
calendar 31 March 2022
globus Denmark

When processing data, companies may from time to time risk making international data transfers without being fully aware of it. The reason is that it can be difficult defining when an international transfer exactly takes place. Now, the European Data Protection Board has published guidelines to help companies apply three criteria to determine when a transfer mechanism is needed.

Companies may need a transfer mechanism when carrying out an international data transfer under the data protection rules. This is required in order to ensure that transferred personal data continues to have adequate or appropriate protection in the third country it is transferred to.

Depending on the type of transfer and destination of the data, different transfer mechanisms apply. Transfers can easily be made to adequate third countries, such as the United Kingdom, Canada, or South Korea, whereas transfers to third countries that are not defined as “adequate” needs more preparation. The reason is that transfer mechanisms are needed when transfers occur to other third countries.

Three criteria to determine if a transfer mechanism is needed

The European Data Protection Board has defined three criteria that companies can use to determine if its processing constitutes an international data transfer. The three cumulative criteria include:

  • That the controller or processor’s processing activities are subject to the data protection rules
  • That the personal data is made available to another data controller or processor
  • That the recipient of the personal data is in a third country, irrespective of whether the personal data rules apply

The first criterion is rather straightforward and is usually already satisfied when the company processesing the personal data is established in the EU. However, the criterion can also be met although the company is not established in the EU, depending on the circumstances.

The other criterion requires that the company as the controller or processor makes personal data available via transmission or another form of disclosure, to another controller or processor. This means, for example, that if a consumer in Denmark discloses his or her own personal data as a part of a purchase of clothing or other products from a company in Singapore, the rules would not apply. Oppositely, the rules would apply if a Danish company as a controller sends personal data on its customers and employees to a company in Chile, which then proceeds to processes the data on the Danish company’s behalf.

The last criterion means that the recipient of the personal data is in a third country, or is in an international organization, regardless of whether the rules on personal data apply to it. For example, if a Danish company processes personal data for a company in the US, which provides services in the EU, the rules apply when the Danish company sends personal data to the company in the US.

IUNO’s opinion

The new guidelines make it easier for companies to establish exactly when processing of personal data constitutes an international data transfer. When an international transfer is made, companies can for example use the approved standard contractual clauses, binding corporate rules (BCR) or assess whether one of the exceptions under the rules on transfer applies.

IUNO recommends that companies are aware that the choice of the right transfer mechanism will depend on each situation. The right transfer mechanism can depend on many things, including for example, whether the company, that will transfer the personal data, has the role as controller or processor, the amount of data and the reason for the transfer. Large fines apply in case of breach of the rules.

[Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR]

Companies may need a transfer mechanism when carrying out an international data transfer under the data protection rules. This is required in order to ensure that transferred personal data continues to have adequate or appropriate protection in the third country it is transferred to.

Depending on the type of transfer and destination of the data, different transfer mechanisms apply. Transfers can easily be made to adequate third countries, such as the United Kingdom, Canada, or South Korea, whereas transfers to third countries that are not defined as “adequate” needs more preparation. The reason is that transfer mechanisms are needed when transfers occur to other third countries.

Three criteria to determine if a transfer mechanism is needed

The European Data Protection Board has defined three criteria that companies can use to determine if its processing constitutes an international data transfer. The three cumulative criteria include:

  • That the controller or processor’s processing activities are subject to the data protection rules
  • That the personal data is made available to another data controller or processor
  • That the recipient of the personal data is in a third country, irrespective of whether the personal data rules apply

The first criterion is rather straightforward and is usually already satisfied when the company processesing the personal data is established in the EU. However, the criterion can also be met although the company is not established in the EU, depending on the circumstances.

The other criterion requires that the company as the controller or processor makes personal data available via transmission or another form of disclosure, to another controller or processor. This means, for example, that if a consumer in Denmark discloses his or her own personal data as a part of a purchase of clothing or other products from a company in Singapore, the rules would not apply. Oppositely, the rules would apply if a Danish company as a controller sends personal data on its customers and employees to a company in Chile, which then proceeds to processes the data on the Danish company’s behalf.

The last criterion means that the recipient of the personal data is in a third country, or is in an international organization, regardless of whether the rules on personal data apply to it. For example, if a Danish company processes personal data for a company in the US, which provides services in the EU, the rules apply when the Danish company sends personal data to the company in the US.

IUNO’s opinion

The new guidelines make it easier for companies to establish exactly when processing of personal data constitutes an international data transfer. When an international transfer is made, companies can for example use the approved standard contractual clauses, binding corporate rules (BCR) or assess whether one of the exceptions under the rules on transfer applies.

IUNO recommends that companies are aware that the choice of the right transfer mechanism will depend on each situation. The right transfer mechanism can depend on many things, including for example, whether the company, that will transfer the personal data, has the role as controller or processor, the amount of data and the reason for the transfer. Large fines apply in case of breach of the rules.

[Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR]

Receive our newsletter

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate

Similar

logo
Technology

24 November 2022

Colored cookie consent can be illegal nudging

logo
Technology

10 November 2022

Deadline to create whistleblower schemes for medium-sized companies approaching

logo
Technology

27 October 2022

Criticism and order to correct processing activities on “No thank you-list”

logo
Technology

13 October 2022

Investigation criticized by the Danish Data Protection Agency

logo
Technology

22 September 2022

The Danish Data Protection Agency is testing the use of cloud solutions

logo
Technology

8 September 2022

Cyber-attack will become expensive for law firm

The team

Anders

Etgen Reitz

Partner

Kirsten

Astrup

Senior associate