European Data Protection Board Guidelines Clarify When Processing Is an International Transfer Under the GDPR

On November 18, 2021, the European Data Protection Board (EDPB) adopted Guidelines 05/2021 on the Interplay Between the Application of Article 3 and the Provisions on International Transfers as per Chapter V of the GDPR. These guidelines resolve significant uncertainty about when Chapter V transfer mechanisms, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs), are required for personal data to flow from the EU to third countries.

The Three-Criteria Test

The EDPB established a three-criteria test for determining when a processing activity constitutes an “international transfer” requiring Chapter V compliance:

1. A controller or processor is subject to GDPR for the specific processing at issue
2. The controller or processor discloses personal data (by transmission or making it available) to another controller, joint controller, or processor (the “importer”)
3. The importer is located in a third country or is an international organization (regardless of whether GDPR applies to the importer’s processing)

All three criteria must be met for Chapter V mechanisms to apply.

Five Key Takeaways

1. Direct Disclosure to Third-Country Recipients Triggers Chapter V

Any time a GDPR-subject entity discloses personal data to a recipient located outside the EEA (and that recipient is in a third country or is an international organization), Chapter V mechanisms apply, regardless of whether the transfer is by active transmission or by making data available for access.

2. Single-Entity Processing Does Not Require Chapter V Mechanisms

Where a single controller or processor subject to GDPR processes data on servers located in a third country, without transferring data to another controller or processor, Chapter V does not apply. The key trigger is the disclosure to another party, not the geographic location of servers.

3. Intra-Group Transfers Still Require Chapter V Mechanisms

Transfers between group companies remain subject to Chapter V requirements where the recipient entity is located in a third country. The fact that the entities share common ownership does not eliminate the need for SCCs, BCRs, or other appropriate safeguards.

4. Chapter V Applies Even When the Importer Is Subject to GDPR

If an importer is located in a third country but is itself subject to GDPR pursuant to Article 3 (for example, because it directly targets EU data subjects), Chapter V mechanisms are still required for transfers to that importer. Being subject to GDPR does not substitute for Chapter V compliance.

5. DPIAs and Security Measures Are Scope-Appropriate

Transfer Impact Assessments (TIAs) required by the new EU SCCs and the security measures required in Chapter V mechanisms should be tailored to the data being transferred and the risks of the specific transfer relationship, not applied as a one-size-fits-all exercise.

Practical Implications

These guidelines are particularly relevant for organizations that:

• Use cloud service providers with infrastructure in non-EEA countries
• Have intra-group data flows between EU and non-EU affiliates
• Process EU personal data on servers located outside the EEA
• Have EU-based data subjects whose data flows to U.S. parent companies or processors

Organizations should review their data maps and existing transfer mechanisms in light of these guidelines, particularly given the December 2022 deadline for replacing old SCCs with the new June 2021 EU SCCs.

For assistance evaluating your organization’s Chapter V compliance obligations, contact Fey LLC.