General principle for transfers
(6) Rapid technological developments and globalisation have brought new challenges for the protection of personal data. The scale of the collection and sharing of personal data has increased significantly. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Natural persons increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life, and should further facilitate the free flow of personal data within the Union and the transfer to third countries and international organisations, while ensuring a high level of the protection of personal data.
Article 44 is intended to state the general principle governing data transfers to non-EU third countries or international organizations. These transfers can only be effected if the controllers and the processors falling under the scope of the Regulation comply with the rules provided in Chapter V.
The provision gives however a new extension to the rule: transfers of personal data to a third country or to an international organization operated as part of planned or ongoing processing are covered, but also the future processing by the recipient third country to another country or another organization. They must also comply with Chapter V of the Regulation. In other words, by this provision, the Regulation sets up a sort of data protection-specific “right to pursue”: the data transferred outside the Union remain subject to the law of the Union not only for their transfer, but also for any processing and subsequent transfer.
The concept of international organization, defined in article 4, 26) of the Regulation is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.
This provision has been reintroduced by the final version of the Regulation, after having been removed from the second proposed version. The goal, as referred to in the provision is that the level of protection of individuals guaranteed by the Regulations is not lowered.
The Directive included no similar provision.
The extension of the territorial scope to processing carried out outside the territory of the Union, by recipient controllers and processors established outside the EU has both political and legal implications.
Politically, the provision allows the European authorities to intervene and detect violations of the Regulation outside the EU on the grounds of a new legitimacy included in the Regulation. It can more easily use the argument of the data protection in different files or negotiations in order to obtain an advantage.
Legally, it goes without saying that the provision may be felt by third countries as an attack on their sovereignty because it imposes a new rule on their territory and a limitation of the freedom of processing. The powers of control and enforcement of the EU authorities and the Member States, of course, cannot be exercised outside the territory of the EU.
The measure must be taken of the difference with other rules allowing the application of the Regulation to controllers established outside the territory of the EU (see Article 3). It is an indirect submission since only the controllers and the processors who are subject to the other provisions of the Regulation pursuant to Article 3, must comply with Article 44 and accordingly, Chapter V. There is no recipient of the transferred data. Or any person concerned by the data which would be at the origin of the transfer either.
- Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR - 5/2021 (18 November 2021)
- Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)
European data protection board (EDPB)
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR - 5/2021 (18 November 2021)
According to Article 44 of the GDPR, the conditions laid down in its Chapter V shall apply to any “transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation”. The overarching purpose of Chapter V is to ensure that the level of protection guaranteed by the GDPR is not undermined when personal data are transferred “to third countries or to international organisations”.
2. The provisions of Chapter V aim at ensuring the continued protection of personal data after they have been transferred to a third country or to an international organisation. When personal data is processed on EU territory it is protected not only by the rules in the GDPR but also by other rules, both on EU and Member State level, that must be in line with the GDPR (including possible derogations therein) and ultimately with the EU Charter on fundamental rights and freedoms. When personal data is transferred and made accessible to entities outside the EU territory, the overarching legal framework provided within the Union no longer applies.
3. Therefore, it must be ensured that the transferred personal data is protected in other ways, such as by being transferred in the context of an adequacy decision from the European Commission or by provision of appropriate safeguards in accordance with Chapter V of the GDPR. When relying on one of the transfer tools listed in Article 46 GDPR, it must be assessed whether supplementary measures need to be implemented in order to bring the level of protection of the transferred data up to the EU standard of essential equivalence. This applies also in situations where the processing falls under Article 3(2) of the GDPR, in order to avoid that the protection provided by the GDPR is undermined by other legislation that the importer falls under. This may for example be the case where the third country has rules on government access to personal data that go beyond what is necessary and proportionate in a democratic society (to safeguard one of the important objectives as also recognised in Union or Member States’ law, such as those listed in Article 23(1) GDPR). The provisions in Chapter V are there to compensate for this risk and to complement the territorial scope of the GDPR as defined by Article 3 when personal data is transferred to countries outside the EU.
4. The following sections aim at clarifying this interplay between Article 3 and the provisions of the GDPR on international transfers in Chapter V in order to assist controllers and processors in the EU in identifying whether a processing constitutes a transfer to a third country or to an international organisation and, as a result, whether they have to comply with the provisions of Chapter V of the GDPR.
5. It is however important to keep in mind that although a certain data flow may not constitute a transfer under Chapter V, such processing can still be associated with risks for which safeguards must be envisaged. Regardless of whether the processing takes place in the EU or not, controllers and processors always have to comply with all relevant provisions of the GDPR, such as the Article 32 obligation to implement technical and organizational measures taking into account, inter alia, the risks with respect to the processing.
Frequently Asked Questions on the judgment in Case C-311/18 - Data Protection Commissioner v Facebook Ireland Ltd and Maximillian Schrems (23 July 2020)
This document aims at presenting answers to some frequently asked questions received by supervisory authorities (“SAs”) and will be developed and complemented along with further analysis, as the EDPB continues to examine and assess the judgment of the Court of Justice of the European Union (the “Court”).
C-311/18 (16 July 2020) - Facebook Ireland et Schrems
1. Article 2(1) and (2) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), must be interpreted as meaning that that regulation applies to the transfer of personal data for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, irrespective of whether, at the time of that transfer or thereafter, that data is liable to be processed by the authorities of the third country in question for the purposes of public security, defence and State security.
2. Article 46(1) and Article 46(2)(c) of Regulation 2016/679 must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required by those provisions must ensure that data subjects whose personal data are transferred to a third country pursuant to standard data protection clauses are afforded a level of protection essentially equivalent to that guaranteed within the European Union by that regulation, read in the light of the Charter of Fundamental Rights of the European Union. To that end, the assessment of the level of protection afforded in the context of such a transfer must, in particular, take into consideration both the contractual clauses agreed between the controller or processor established in the European Union and the recipient of the transfer established in the third country concerned and, as regards any access by the public authorities of that third country to the personal data transferred, the relevant aspects of the legal system of that third country, in particular those set out, in a non-exhaustive manner, in Article 45(2) of that regulation.
3. Article 58(2)(f) and (j) of Regulation 2016/679 must be interpreted as meaning that, unless there is a valid European Commission adequacy decision, the competent supervisory authority is required to suspend or prohibit a transfer of data to a third country pursuant to standard data protection clauses adopted by the Commission, if, in the view of that supervisory authority and in the light of all the circumstances of that transfer, those clauses are not or cannot be complied with in that third country and the protection of the data transferred that is required by EU law, in particular by Articles 45 and 46 of that regulation and by the Charter of Fundamental Rights, cannot be ensured by other means, where the controller or a processor has not itself suspended or put an end to the transfer.
4. Examination of Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EU of the European Parliament and of the Council, as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 in the light of Articles 7, 8 and 47 of the Charter of Fundamental Rights has disclosed nothing to affect the validity of that decision.
5. Commission Implementing Decision (EU) 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield is invalid.
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. All provisions in this Chapter shall be applied in order to ensure that the level of protection of natural persons guaranteed by this Regulation is not undermined.
1st proposal close
Any transfer of personal data which are undergoing processing or are intended for processing after transfer to a third country or to an international organisation may only take place if, subject to the other provisions of this Regulation, the conditions laid down in this Chapter are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation.
2nd proposal close
No specific provision
No specific provision