The EDPB Issues Guidelines Clarifying What Constitutes an International Data Transfer Under the GDPR

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

On November 19, 2021, the European Data Protection Board (“EDPB”) published its draft Guidelines 05/2021 (the “Guidelines”) on the interplay between the application of Article 3 of the EU General Data Protection Regulation (“GDPR”), which sets forth the GDPR’s territorial scope, and the GDPR’s provisions on international data transfers. The Guidelines aim to assist organizations subject to the GDPR in identifying whether a data processing activity constitutes an international data transfer under the GDPR, as the GDPR does not define the term.

The Guidelines set forth three criteria to consider in determining whether a processing activity qualifies as an international data transfer under the GDPR:

The exporting controller or processor is subject to the GDPR for the given processing activity. The exporting controller or processor transmits or makes available the personal data to the data importer (e.g., another controller, joint controller or a processor). The Guidance clarifies that the collection of data directly from data subjects in the EU does not constitute an international data

Read the article