EDPB: final ver­si­on of the gui­de­lines on dis­clo­sure in third countries

On Febru­ary 14, 2023, the Euro­pean Data Pro­tec­tion Board EDSA (EDPB) issued a final ver­si­on of the gui­de­lines on dis­clo­sure in third count­ries was published. The draft was dated Novem­ber 18, 2021 (we have repor­ted on this).

The final ver­si­on is quite dif­fe­rent from the draft – a Del­ta­view is available here:

• Cla­ri­fy that the rest­ric­tions on trans­fers to third count­ries in the GDPR also app­ly to export­ers that are not estab­lished in the EEA, but which ope­ra­te under Art. 3 par. 2 fall under the GDPR;
• clea­rer indi­ca­ti­ons that inter­nal trans­mis­si­ons – i.e. dis­clo­sures that do not go to ano­ther con­trol­ler or pro­ces­sor -. No trans­mis­si­on con­sti­tu­te a for­eign dis­clo­sure. It should the­r­e­fo­re con­ti­n­ue to app­ly, as was alre­a­dy the case under the draft, that dis­clo­sure bet­ween orga­nizatio­nal units or bran­ches of the same legal enti­ty does not fall under the rest­ric­tions on for­eign dis­clo­sure. In this case, howe­ver – and the EDSA also empha­si­zes this – the rele­vant con­trol­ler or pro­ces­sor must check which par­ti­cu­lar risks result from the pro­ce­s­sing in the third coun­try (in this case accor­ding to Art. 5 and 24 GDPR). In addi­ti­on, the prin­ci­ple of trans­pa­ren­cy requi­res that the inform data sub­jects about the pro­ce­s­sing abroad are;
• Cla­ri­fi­ca­ti­on that the trans­fer rest­ric­tions also app­ly to order pro­ces­sors – not new; howe­ver, the fol­lo­wing note is inte­re­st­ing, which refers to the fre­quent situa­ti­on whe­re a con­trol­ler uses an order pro­ces­sor in the EEA area who in turn dis­c­lo­ses data to a third coun­try (the stan­dard case for cloud pro­vi­ders based in the EU) – here the EDSA appar­ent­ly sees an (Co-)responsibility of the per­son respon­si­ble for the Onward Trans­fer of the order pro­ces­sor.:
  

  The­r­e­fo­re, the­re will be a trans­fer situa­ti­on whe­re a pro­ces­sor (eit­her under Artic­le 3(1) or under Artic­le 3(2) for a given pro­ce­s­sing, as explai­ned abo­ve) sends data to ano­ther pro­ces­sor or even to a con­trol­ler in a third coun­try as ins­truc­ted by its con­trol­ler. In the­se cases, the pro­ces­sor acts as a data export­er on behalf of the con­trol­ler and has to ensu­re that the pro­vi­si­ons of Chap­ter V are com­plied with for the trans­fer at sta­ke accor­ding to the ins­truc­tions of the con­trol­ler, inclu­ding that an appro­pria­te trans­fer tool is used. Con­side­ring that the trans­fer is a pro­ce­s­sing acti­vi­ty car­ri­ed out on behalf of the con­trol­ler, the con­trol­ler is also respon­si­ble and could be lia­ble under Chap­ter Vand also has to ensu­re that the pro­ces­sor pro­vi­des for suf­fi­ci­ent gua­ran­tees under Artic­le 28.

• Cla­ri­fi­ca­ti­on that a trans­fer is not cover­ed by the limi­ta­ti­ons of the GDPR sim­ply becau­se the importer in the third coun­try is its­elf cover­ed by the GDPR;
• Note that when sel­ec­ting a com­mis­sio­ned pro­ces­sor, it is also neces­sa­ry to check whe­ther the pro­ces­sor is Access by for­eign aut­ho­ri­ties expo­sed If a data pro­ces­sor in the EEA is a data con­trol­ler, it may also be sub­ject to access by aut­ho­ri­ties from third count­ries (access by U.S. aut­ho­ri­ties cer­tain­ly comes to mind here). If such access occurs and the order pro­ces­sor dis­c­lo­ses data accor­din­gly, he no lon­ger does so as an order pro­ces­sor, but as the respon­si­ble party;
• the new ver­si­on con­ta­ins various examp­les that were not found in the draft. In a new appen­dix, the­se examp­les are illu­stra­ted with graphics.