On November 18th, 2021, the European Data Protection Board (EDPB) published Guidelines 05/2021 which were supposed to clarify the definition of international personal data transfers.
Since the GDPR does not include a legal definition of data transfer according to Art. 44, there are legal uncertainties for controllers and processors, especially when entering into processing agreements with multinationals.
The European Data Protection identified three cumulative criteria which need to apply in order to qualify a processing of personal data as data transfer.
- A controller or processor is subject to the GDPR for the given processing
- The controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”)
- The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3
CEDPO has made comments on the proposed three criteria, pointing out some still remaining uncertainties regarding diverse cases of data transfers made by processors or controllers.
CEDPO also believes that data protection is becoming more and more a legalistic exercise, drifting away from its original objectives: ensuring data subjects a transparent, secure, lawful processing of personal data.
The CEDPO submission is available here.