New guidelines clarify when processing is an international data transfer
When processing data, companies may from time to time risk making international data transfers without being fully aware of it. The reason is that it can be difficult defining when an international transfer exactly takes place. Now, the European Data Protection Board has published guidelines to help companies apply three criteria to determine when a transfer mechanism is needed.
Companies may need a transfer mechanism when carrying out an international data transfer under the data protection rules. This is required in order to ensure that transferred personal data continues to have adequate or appropriate protection in the third country it is transferred to.
Depending on the type of transfer and destination of the data, different transfer mechanisms apply. Transfers can easily be made to adequate third countries, such as the United Kingdom, Canada, or South Korea, whereas transfers to third countries that are not defined as “adequate” needs more preparation. The reason is that transfer mechanisms are needed when transfers occur to other third countries.
Three criteria to determine if a transfer mechanism is needed
The European Data Protection Board has defined three criteria that companies can use to determine if its processing constitutes an international data transfer. The three cumulative criteria include:
- That the controller or processor’s processing activities are subject to the data protection rules
- That the personal data is made available to another data controller or processor
- That the recipient of the personal data is in a third country, irrespective of whether the personal data rules apply
The first criterion is rather straightforward and is usually already satisfied when the company processing the personal data is established in the EU. However, the criterion can also be met although the company is not established in the EU, depending on the circumstances.
The other criterion requires that the company as the controller or processor makes personal data available via transmission or another form of disclosure, to another controller or processor. This means, for example, that if a consumer in Denmark discloses his or her own personal data as a part of a purchase of clothing or other products from a company in Singapore, the rules would not apply. Oppositely, the rules would apply if a Danish company as a controller sends personal data on its customers and employees to a company in Chile, which then proceeds to processes the data on the Danish company’s behalf.
The last criterion means that the recipient of the personal data is in a third country, or is in an international organization, regardless of whether the rules on personal data apply to it. For example, if a Danish company processes personal data for a company in the US, which provides services in the EU, the rules apply when the Danish company sends personal data to the company in the US.
IUNO’s opinion
The new guidelines make it easier for companies to establish exactly when processing of personal data constitutes an international data transfer. When an international transfer is made, companies can for example use the approved standard contractual clauses, binding corporate rules (BCR) or assess whether one of the exceptions under the rules on transfer applies.
IUNO recommends that companies are aware that the choice of the right transfer mechanism will depend on each situation. The right transfer mechanism can depend on many things, including for example, whether the company, which will transfer the personal data, has the role as controller or processor, the amount of data and the reason for the transfer. Large fines apply in case of breach of the rules.
[Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR]
Companies may need a transfer mechanism when carrying out an international data transfer under the data protection rules. This is required in order to ensure that transferred personal data continues to have adequate or appropriate protection in the third country it is transferred to.
Depending on the type of transfer and destination of the data, different transfer mechanisms apply. Transfers can easily be made to adequate third countries, such as the United Kingdom, Canada, or South Korea, whereas transfers to third countries that are not defined as “adequate” needs more preparation. The reason is that transfer mechanisms are needed when transfers occur to other third countries.
Three criteria to determine if a transfer mechanism is needed
The European Data Protection Board has defined three criteria that companies can use to determine if its processing constitutes an international data transfer. The three cumulative criteria include:
- That the controller or processor’s processing activities are subject to the data protection rules
- That the personal data is made available to another data controller or processor
- That the recipient of the personal data is in a third country, irrespective of whether the personal data rules apply
The first criterion is rather straightforward and is usually already satisfied when the company processing the personal data is established in the EU. However, the criterion can also be met although the company is not established in the EU, depending on the circumstances.
The other criterion requires that the company as the controller or processor makes personal data available via transmission or another form of disclosure, to another controller or processor. This means, for example, that if a consumer in Denmark discloses his or her own personal data as a part of a purchase of clothing or other products from a company in Singapore, the rules would not apply. Oppositely, the rules would apply if a Danish company as a controller sends personal data on its customers and employees to a company in Chile, which then proceeds to processes the data on the Danish company’s behalf.
The last criterion means that the recipient of the personal data is in a third country, or is in an international organization, regardless of whether the rules on personal data apply to it. For example, if a Danish company processes personal data for a company in the US, which provides services in the EU, the rules apply when the Danish company sends personal data to the company in the US.
IUNO’s opinion
The new guidelines make it easier for companies to establish exactly when processing of personal data constitutes an international data transfer. When an international transfer is made, companies can for example use the approved standard contractual clauses, binding corporate rules (BCR) or assess whether one of the exceptions under the rules on transfer applies.
IUNO recommends that companies are aware that the choice of the right transfer mechanism will depend on each situation. The right transfer mechanism can depend on many things, including for example, whether the company, which will transfer the personal data, has the role as controller or processor, the amount of data and the reason for the transfer. Large fines apply in case of breach of the rules.
[Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR]
Similar
Expensive right of access requests
Seven commandments when closing the business e-mail account
Unfair design practices resulted in a 345 million euro fine
Accessible personnel files resulted in a data breach
Deadline to establish whistleblower schemes for medium-sized companies approaching
New guidance from the Danish Data Protection Agency on direct marketing