Strict EU rules on the international transfer of personal data do not apply when employees access data from their company’s database remotely while on business trips in other parts of the world, a data protection watchdog has confirmed.
The example is explained in new guidance the European Data Protection Board (EDPB) is currently consulting on (9-page / 168KB PDF), which concerns the territorial scope of the rules on international data transfers under the General Data Protection Regulation (GDPR).
Both the EU and UK GDPR impose strict conditions on the transfer of personal data outside of the jurisdiction – in the EU’s case, the European Economic Area (EEA). While the European Commission has put in place so-called adequacy agreements to enable data to flow freely from the EEA to certain ‘third countries’ that it deems have essentially equivalent data protection regimes to that in place in the EU, including the UK, in many cases businesses must carry out a transfer impact assessment and turn to legal tools such as standard contractual clauses as a means of providing for EU data protection standards to be applied to personal data transferred outside of the EEA.
The EDPB’s draft guidance attempts to help businesses understand which activities constitute data transfers to which the strict conditions apply. There is uncertainty over the matter because the GDPR does not define what is meant by a transfer of personal data to a third country or to an international organisation. The position is further complicated because the GDPR is not only applicable to EU-based organisations processing personal data. In many cases it also applies to organisations based outside of the EU because of the nature of their operations and their targeting of EU customers.
According to the EDPB, a data processing activity will trigger the application of the GDPR’s data transfer rules where it meets three criteria.
First, the controller or processor must be subject to the GDPR for the given processing. Second, that data exporter must disclose by transmission or otherwise make personal data, subject to this processing, available to another controller, joint controller or processor – a data importer. Third, the importer must be in a third country or be an international organisation, irrespective of whether or not it is subject to the GDPR in respect of the given processing.
The EDPB has set out examples in its draft guidance to help businesses understand how the criteria apply in practice. It includes an example where an employee, ‘George’, of a controller in the EU, a Polish company, travels to India, which is a third country, on a business trip and accesses personal data on the company’s databases remotely from his computer.
The EDPB said: “This remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller (company A). Therefore, the disclosure is carried out within the same controller (A). The processing, including the remote access and the processing activities carried out by George after the access, are performed by the Polish company, i.e. a controller established in the Union subject to Article 3(1) of the GDPR.”
Data protection law expert Rosie Nance of Pinsent Masons said: “This and the other examples provided by the EDPB in its draft guidance are welcome, but it remains unclear whether there would be a transfer for GDPR purposes in other employee-related contexts, such as where an employee is permanently based in a third country or operating out of branch offices. It would be helpful for the EDPB to clarify these points when it comes to finalise its guidance next year.”
In the UK, the Information Commissioner’s Office (ICO) has also issued guidance on when processing activities will trigger the rules on data transfers. The ICO’s position differs to the EDPB’s.
Nance said: “The ICO has said that a ‘restricted transfer’ only takes place where the transfer is to a recipient to which the UK GDPR doesn’t apply. So a transfer to a third country recipient to which the UK GDPR applied in relation to that processing wouldn’t be a ‘restricted transfer’.”
In a similar example to the EDPB’s business trips example, the ICO confirmed that “if you are sending personal data to someone employed by you or by your company or organisation, this is not a restricted transfer”.
In other examples given in its draft guide, the EDPB explained that a controller in a third country collecting data directly from a data subject in the EU does not constitute a data transfer, but that data passed from EU-based controllers or processors to processors or sub-processors in third countries are data transfers.
The EDPB also said that in circumstances where a non-EU company that is not subject to the GDPR transfers data to an EU-based processor that subsequently sends it back to the non-EU company, that transfer from the EU processor to the third country controller would constitute a transfer for GDPR purposes.
In a further example, the EDPD confirmed that the GDPR’s data transfer rules would apply to both the controller-to-processor transfer and the processor-to-controller transfer in circumstances where a non-EU controller’s personal data processing is subject to the GDPR but it outsources processing activities to an EU-based processor that subsequently transfers the personal data back to the controller.
The EDPB’s draft guidance is open to feedback until 31 January 2022.