Alterar idioma para EnglishAlterar idioma para Japonês

The EDPB publishes new guidelines for personal data protection

April 11, 2023
__wf_reserved_inherit

The European Data Protection Board (EDPB) has recently published, after a public inquiry with different segments of European society, three new guidelines related to the protection of personal data. They are the following:

  1. Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
  2. Guidelines 07/2022 on certification as a tool for transfers
  3. Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them

The following is a brief description of each of them:

1.1.GUIDELINES 05/2021 ON THE INTERPLAY BETWEEN THE APPLICATION OF ARTICLE 3 AND THE PROVISIONS ON INTERNATIONAL TRANSFERS AS PER CHAPTER V OF THE GDPR

Given that the GDPR (General Data Protection Regulation) does not define what “transfer of personal data to a third country or to an international organization” is, the EDPB used three cumulative criteria to qualify a processing operation as a transfer. Thus, if the three criteria identified by the EDPB are met, it regards a transfer and Chapter V of the GDPR is applicable. They are:

  1. A controller or a processor (“exporter”) is subject to the GDPR for the given processing;
  2. The exporter discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”); and
  3. The importer is in a third country, irrespective of whether or not this importer is subject to the GDPR for the given processing in accordance with Article 3, or is an international organisation.

Thus, the transfer of personal data to a third country or to an international organization may only occur in the context of an adequacy decision by the European Commission (Article 45) or by providing of appropriate safeguards (Article 46).

If the three criteria are not met, Chapter V of the GDPR does not apply, but the controller must comply with the remaining provisions of the GDPR, in particular Article 5 (“Principles relating to the processing of personal data”), Article 24 (“Responsibility of the controller”) and Article 32 (“Security of Processing”).

The risks of such personal data processing in a foreign country not complying with the GDPR are especially focused on conflicting national laws or disproportionate government access.

The examples are the highlight of these guidelines. They are an aid in understanding the issue in practical cases, as shown below:

                                                                                                                                                                                                                                                                                               
               

                   Example 1 – Controller in a third country collects data                    directly from a data subject in the EU (under Article 3(2)                    GDPR)                

           		               

                   Maria, living in Italy, inserts her name, surname and                    postal address by filling in a form on an online clothing                    website in order to complete her order and receive the                    dress she bought online at her residence in Rome. The                    online clothing website is operated by a third country                    company that has no presence in the EU, but specifically                    targets the EU market. In this case, the data subject                    (Maria) passes her personal data to the third country                    company. This does not constitute a transfer of personal                    data since the data are not passed by an exporter                    (controller or processor), but directly collected from the                    data subject by the controller under Article 3(2) GDPR.                    Thus, Chapter V does not apply to this case. Nevertheless,                    the third country company will be required to apply the                    GDPR since its processing operations are subject to Article                    3(2).                

           
               

                   Controller in a third country collects data directly from a                    data subject in the EU (under Article 3(2) GDPR) and uses a                    processor outside the EU for some processing activities                

           		               

                   Maria, living in Italy, inserts her name, surname and                    postal address by filling in a form on an online clothing                    website in order to complete her order and receive the                    dress she bought online at her residence in Rome. The                    online clothing website is operated by a third country                    company that has no presence in the EU, but specifically                    targets the EU market. In order to process the orders                    received by means of the website, the third country company                    has engaged a non-EEA processor. In this case, the data                    subject (Maria) passes her personal data to the third                    country company and this does not constitute a transfer of                    personal data since the data are directly collected by the                    controller under Article 3(2) GDPR. Thus, the controller                    will have to apply the GDPR to the processing of this                    personal data. As far as it engages a non-EEA processor,                    such disclosure from the third country company to its                    non-EEA processor would amount to a transfer, and it will                    be required to apply Article 28 and Chapter V obligations                    so as to ensure that the level of protection afforded by                    the GDPR would not be undermined when data are processed on                    its behalf by the non-EEA-processor.                

           
               

                   Example 3 – Controller in a third country receives data                    directly from a data subject in the EU (but not under                    Article 3(2) GDPR) and uses a processor outside the EU for                    some processing activities                

           		               

                   Maria, living in Italy, decides to book a room in a hotel                    in New York using a form on the hotel website. Personal                    data are collected directly by the hotel which does not                    target/monitor individuals in the EEA. In this case, no                    transfer takes place since data are passed directly by the                    data subject and directly collected by the controller Also,                    since no targeting or monitoring activities of individuals                    in the EEA are taking place by the hotel, the GDPR will not                    apply, including with regard to any processing activities                    carried out by non-EEA processors on behalf of the hotel.                

           
               

                   Example 4 – Data collected by an EEA platform and then                    passed to a third country controller                

           		               

                   Maria, living in Italy, books a room in a hotel in New York                    by means of an online EEA travel agency. Maria’s personal                    data, necessary for booking the hotel, are collected by the                    EEA online travel agency as a controller and sent to the                    hotel receiving the data as a separate controller. While                    passing the personal data to the third country hotel, the                    EEA travel agency carries out a transfer of personal data                    and Chapter V GDPR applies.                

           
               

                   Example 5 – Controller in the EU sends data to a processor                    in a third country                

           		               

                   Company X established in Austria, acting as controller,                    provides personal data of its employees or customers to                    Company Z in a third country, which processes these data as                    processor on behalf of Company X. In this case, data are                    provided from a controller, which as regards the processing                    in question, is subject to the GDPR, to a processor in a                    third country. Hence, the provision of data will be                    considered as a transfer of personal data to a third                    country and therefore Chapter V of the GDPR applies.                

           
               

                   Example 6 – Processor in the EU sends data back to its                    controller in a third country                

           		               

                   XYZ Inc., a controller without an EU establishment, sends                    personal data of its employees/customers, all of them data                    subjects not located in the EU, to the processor ABC Ltd.                    for processing in the EU, on behalf of XYZ. ABC                    re-transmits the data to XYZ. The processing performed by                    ABC, the processor, is covered by the GDPR for processor                    specific obligations pursuant to Article 3(1), since ABC is                    established in the EU. Since XYZ is a controller in a third                    country, the disclosure of data from ABC to XYZ is regarded                    as a transfer of personal data and therefore Chapter V                    applies.                

           
               

                   Example 7 – Processor in the EU sends data to a                    sub-processor in a third country                

           		               

                   Company A established in Germany, acting as controller, has                    engaged B, a French company, as a processor on its behalf.                    B wishes to further delegate a part of the processing                    activities that it is carrying out on behalf of A to                    sub-processor C, a company in a third country, and hence to                    send the data for this purpose to C. The processing                    performed by both A and its processor B is carried out in                    the context of their establishments in the EU and is                    therefore subject to the GDPR pursuant to its Article 3(1),                    while the processing by C is carried out in a third                    country. Hence, the passing of data from processor B to                    sub-processor C is a transfer to a third country, and                    Chapter V of the GDPR applies.                

           
                                                                                                                                                                                                     
               

                   Example 8 – Employee of a controller in the EU travels to a                    third country on a business trip                

           		               

                   George, employee of A, a company based in Poland, travels                    to a third country for a meeting bringing his laptop.                    During his stay abroad, George turns on his computer and                    accesses remotely personal data on his company’s databases                    to finish a memo. This bringing of the laptop and remote                    access of personal data from a third country, does not                    qualify as a transfer of personal data, since George is not                    another controller, but an employee, and thus an integral                    part of the controller A. Therefore, the transmission is                    carried out within the same controller A. The processing,                    including the remote access and the processing activities                    carried out by George after the access, are performed by                    the Polish company, i.e. a controller established in the                    Union subject to Article 3(1) of the GDPR. It can, however,                    be noted that in case George, in his capacity as an                    employee of A, would send or make data available to another                    controller or processor in the third country, the data flow                    in question would amount to a transfer under Chapter V;                    from the exporter (A) in the EU to such importer in the                    third country.                

           
               

                   Example 9: A subsidiary (controller) in the EU shares data                    with its parent company (processor) in a third country                

           		               

                   The Irish Company X, which is a subsidiary of the parent                    Company Y in a third country, discloses personal data of                    its employees to Company Y to be stored in a centralised HR                    database by the parent company in the third country. In                    this case the Irish Company X processes (and discloses) the                    data in its capacity of employer and hence as a controller,                    while the parent company is a processor. Company X is                    subject to the GDPR pursuant to Article 3(1) for this                    processing and Company Y is situated in a third country.                    The disclosure therefore qualifies as a transfer to a third                    country within the meaning of Chapter V of the GDPR.                

           
               

                   Example 10 – Processor in the EU sends data back to its                    controller in a third country                

           		               

                   Company A, a controller without an EU establishment, offers                    goods and services to the EU market. The French company B,                    is processing personal data on behalf of company A. B                    re-transmits the data to A. The processing performed by the                    processor B is covered by the GDPR for processor specific                    obligations pursuant to Article 3(1), since it takes place                    in the context of the activities of its establishment in                    the EU. The processing performed by A is also covered by                    the GDPR, since Article 3(2) applies to A. However, since A                    is in a third country, the disclosure of data from B to A                    is regarded as a transfer to a third country and therefore                    Chapter V applies.                

           
               

                   Example 11 – Remote access to data in the EU by a third                    country processor acting on behalf of EU controllers                

           		               

                   A company in a third country (Company Z), with no                    establishment in the EU, offers services as a processor to                    companies in the EU. Company Z, acting as processor on                    behalf of the EU controllers, is remotely accessing, e.g.                    for support purposes, the data which is stored in the EU.                    Since Company Z is located in a third country, such remote                    access results in transfers of data from the EU controllers                    to their processor (Company Z) in a third country under                    Chapter V.                

           
               

                   Example 12 – Controller in the EU uses a processor in the                    EU subject to third country legislation                

           		               

                   The Danish Company X, acting as controller, engages Company                    Y established in the EU as a processor on its behalf.                    Company Y is a subsidiary of the third country parent                    Company Z. Company Y is processing the data of Company X                    exclusively in the EU and there is no one outside the EU,                    including the parent Company Z, who has access to the data.                    Additionally, it follows from the contract between Company                    X and Company Y that Company Y shall only process the                    personal data on documented instructions from Company X,                    unless required to do so by EU or Member State law to which                    Company Y is subject. Company Y is however subject to third                    country legislation with extraterritorial effect, which in                    this case means that Company Y may receive access requests                    from third country authorities. Since Company Y is not in a                    third country (but an EU company subject to Article 3(1)                    GDPR), the disclosure of data from the controller Company X                    to the processor Company Y does not amount to a transfer                    and Chapter V of the GDPR does not apply. As mentioned,                    there is however a possibility that Company Y receives                    access requests from third country authorities and should                    Company Y comply with such request, such disclosure of data                    would be considered a transfer under Chapter V. Where                    Company Y complies with a request in violation of the                    controller’s instructions and thus Article 28 GDPR, Company                    Y shall be considered an independent controller of that                    processing under Article 28(10) GDPR. In this situation,                    the controller Company X should, before engaging the                    processor, assess these circumstances in order to ensure                    that, as required by Article 28 GDPR, it only uses                    processors providing sufficient guarantees to implement                    appropriate technical and organisational measures so that                    the processing is in line with the GDPR, including Chapter                    V, as well as to ensure that there is a contract or legal                    act governing the processing by the processor.                

           

1.2.GUIDELINES 07/2022 ON CERTIFICATION AS A TOOL FOR TRANSFERS

The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organizations. Among these safeguards, certification emerges as a new transfer mechanism (Articles 42(2) and 46(2) (f).

According to Article 44 of the GDPR, any transfer of personal data to third countries or international organizations must comply with the conditions of the remaining provisions of the GDPR in addition to compliance with its Chapter V. Therefore, each transfer must comply, among others, with the data protection principles of Article 5 of the GDPR, comply with Article 6 of the GDPR and with Article 9 of the GDPR in the case of special data categories.

Thus, a two-step test should be applied. As a first step, one must ensure compliance with the general provisions of the GDPR. Then, as a second step, one must comply with the provisions of Chapter V of the GDPR.

Pursuant to Article 46(2)(f) of the GDPR, such appropriate safeguards, such as respecting the rights of data subjects, can be provided by an approved certification mechanism, together with binding and enforceable commitments from the controller or operator in the third country.

The EDPB is empowered to approve EEA-wide certification criteria (European Data Protection Seal) and to provide opinions on Supervisory Authorities’ draft decisions on certification criteria and accreditation requirements of the certification bodies so as to ensure consistency. It is also competent for collating all certification mechanisms and data protection seals and marks in a register and making them publicly available.

The Supervisory Authorities (SAs) approve the certification criteria when the certification mechanism is not a European Data Protection Seal. They might also accredit the certification body, design the certification criteria and issue certification if established by the national law of their Member State.

On the other hand, the National Accreditation Body may accredit third party certification bodies by using ISO 17065 and the SAs additional accreditation requirements, which should be in line with section 2 of these guidelines. In some Member States, the accreditation can be offered as well by the competent SA as well as being carried out by a national accreditation body or by both.

And finally, the Scheme Owner is another important stakeholder. It is an organisation which has set up certification criteria and the methodology requirements according to which conformity is to be assessed. The organisation carrying out the assessments could be the same organisation that has developed and owns the scheme, but there could be arrangements where one organisation owns the scheme, and another (or more than one other) performs the assessments as Certification body.

Furthermore, the data exporter who wants to use a certification as appropriate safeguard according to Article 46 (2) (f) GDPR is notably obliged to verify whether the certification it intends to rely on is effective in light of the characteristics of the intended processing. To that end, the data exporter must check the issued certification in order to verify if the certificate is valid and not expired, if it covers the specific transfer to be carried out and whether the transit of personal data is in the scope of certification, as well as if onward transfers are involved and an adequate documentation is provided on them. Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake.

Considering that the exporter is responsible for all provisions in Chapter V being applied, it has also to assess whether the certification it intends to rely on as a tool for transfers is effective in the light of the law and practices in force in the third country that are relevant for the transfer at stake. Therefore, certification should be based on the assessment of certification criteria according to a mandatory audit methodology.

The following minimum criteria must be considered by the certification mechanism with respect to processing:

  1. the purpose;
  2. the type of entity (controller or operator);
  3. the type of data transferred taking into account whether special categories of personal data as defined in Article 9 GDPR are involved;
  4. the categories of data subjects; and
  5. the countries where the data processing takes place.

With regard to Transparency and the Data subjects’ rights, the certification criteria should:

  1. Require that information on the processing activities should be provided to data subjects, including, where relevant, on the transfer of personal data to a third country or an international organisation (see Articles 12, 13, 14 GDPR);
  2. require that data subjects are guaranteed their rights to access, rectification, erasure, restriction, notification regarding rectification or erasure or restriction, objection to processing, right not to be subject to decisions based solely on automated processing, including profiling, essentially equivalent to those provided for by Articles 15 to 19, 21 and 22 GDPR;
  3. require that an appropriate complaint handling procedure is established by the data importer holding a certification in order to ensure the effective implementation of the data subject rights
  4. require assessing whether and to what extent these rights are enforceable for the data subjects in the relevant third country and any additional appropriate measures that may need to be put in place to enforce them, e.g. requiring that the importer will accept to submit itself to the jurisdiction of and cooperate with the supervisory authority competent for the exporter(s) in any procedures aimed at ensuring compliance with these rights and, in particular, that it agrees to respond to enquiries, submit to audits and comply with the measures adopted by aforementioned supervisory authority, including remedial and compensatory measures.

Additional certification criteria include assessment of third country legislation, general obligations of importers and exporters, rules on onward transfers, redress and enforcement of data subject rights, process and actions for situations in which national legislation prevents compliance with commitments taken as part of certification, dealing with requests for data access by third country authorities and additional safeguards concerning the exporter.

Again, a list of examples of complementary measures to be implemented by the importer in case the transit is included in the scope of the certification is a high point of the guidelines. They are the following:

                                                                                                                                                                       
               

                   Use case 1 – Data storage for backup and other purposes                    that do not require access to data in the clear                

           		               

                   Criteria relating to the encryption standards and the                    security of the decryption key, in particular criteria                    relating to the legal situation in the third country, must                    be established. If the importer can be forced to pass on                    decryption keys, the additional measure cannot be                    considered effective.                

           
               

                   Use case 2 – Transfer of pseudonymised Data                

           		               

                   In the case of pseudonymised data, criteria shall be                    established regarding the security of the additional                    information necessary to attribute the transferred data to                    an identified or identifiable person. In particular:                

               

                   – Criteria regarding the legal situation in the third                    country. If the importer can be forced to access or use                    additional data in order to attribute the data to an                    identified or identifiable person, the measure cannot be                    considered effective; and                

               

                   – Criteria relating to the definition of additional                    information available to third country authorities that                    might be sufficient to attribute the data to an identified                    or identifiable person.                

           
               

                   Use case 3 – Encryption of data to protect it from access                    by the public authorities of the third country of the                    importer when it transits between the exporter and its                    importer                

           		               

                   In the case of encrypted data, any criteria for the                    security of the transit shall be included. If the importer                    can be forced to pass on cryptographic keys for decryption                    or authentication or to modify a component used for transit                    in such a way that its security properties are undermined,                    the additional measure cannot be considered effective.                

           
               

                   Use case 4 – Protected recipient                

           		               

                   In the case of protected recipients, criteria for the                    limits of the privilege must be defined. The data                    processing must remain within the limits of the legal                    privilege. This also applies to processing by                    (sub)processors and onward transfers, whose recipients must                    also be privileged.                

           

Another list of examples of complementary measures in case the transit is not covered by the certification and the exporter has to ensure them is equally interesting:

                                                                           
               

                   Use case 1 – Transfer of pseudonymised Data                

           		               

                   Criteria shall be provided relating to the additional                    information available to the third country authorities that                    might be sufficient to attribute the data to an identified                    or identifiable person.                

           
               

                   Use case 2 – Encryption of data to protect it from access                    by the public authorities of the third country of the                    importer when it transits between the exporter and its                    importer                

           		               

                   Criteria shall be provided relating to the trustworthiness                    of the public key certification authority or infrastructure            

RECENT POSTS

LINKEDIN FEED

ícone