On February 14, 2023, the European Data Protection Board EDSA (EDPB) issued a final version of the guidelines on disclosure in third countries was published. The draft was dated November 18, 2021 (we have reported on this).
The final version is quite different from the draft – a Deltaview is available here:
- Clarify that the restrictions on transfers to third countries in the GDPR also apply to exporters that are not established in the EEA, but which operate under Art. 3 par. 2 fall under the GDPR;
- clearer indications that internal transmissions – i.e. disclosures that do not go to another controller or processor -. No transmission constitute a foreign disclosure. It should therefore continue to apply, as was already the case under the draft, that disclosure between organizational units or branches of the same legal entity does not fall under the restrictions on foreign disclosure. In this case, however – and the EDSA also emphasizes this – the relevant controller or processor must check which particular risks result from the processing in the third country (in this case according to Art. 5 and 24 GDPR). In addition, the principle of transparency requires that the inform data subjects about the processing abroad are;
- Clarification that the transfer restrictions also apply to order processors – not new; however, the following note is interesting, which refers to the frequent situation where a controller uses an order processor in the EEA area who in turn discloses data to a third country (the standard case for cloud providers based in the EU) – here the EDSA apparently sees an (Co-)responsibility of the person responsible for the Onward Transfer of the order processor.:
Therefore, there will be a transfer situation where a processor (either under Article 3(1) or under Article 3(2) for a given processing, as explained above) sends data to another processor or even to a controller in a third country as instructed by its controller. In these cases, the processor acts as a data exporter on behalf of the controller and has to ensure that the provisions of Chapter V are complied with for the transfer at stake according to the instructions of the controller, including that an appropriate transfer tool is used. Considering that the transfer is a processing activity carried out on behalf of the controller, the controller is also responsible and could be liable under Chapter Vand also has to ensure that the processor provides for sufficient guarantees under Article 28.
- Clarification that a transfer is not covered by the limitations of the GDPR simply because the importer in the third country is itself covered by the GDPR;
- Note that when selecting a commissioned processor, it is also necessary to check whether the processor is Access by foreign authorities exposed If a data processor in the EEA is a data controller, it may also be subject to access by authorities from third countries (access by U.S. authorities certainly comes to mind here). If such access occurs and the order processor discloses data accordingly, he no longer does so as an order processor, but as the responsible party;
- the new version contains various examples that were not found in the draft. In a new appendix, these examples are illustrated with graphics.