The Interplay Between GDPR’s Article 3.2 and Chapter V and (Finally) a Definition of ‘Transfer’

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

The European Data Protection Board has issued draft guidelines on the interplay between Art 3.2 and Chapter V of GDPR. And they also have finally defined the term “transfer.”

Here are some key takeaways:

You must comply with the provisions of Chapter V GDPR, including the Schrems II assessment and supplemental measures, even when the recipient is subject to GDPR under Art 3.2. Regardless of whether the processing takes place in the EU or not, controllers and processors always have to comply with all relevant provisions of the GDPR, such as Article 32. When a controller or processor who is subject to GDPR (seemingly even if outside the EU themselves) sends personal data or makes it available to a non EU recipient, even if such recipient is subject to GDPR under Art 3.2, this constitutes a transfer for the purpose of Chapter V. If an individual in the EU, directly and on his/her own initiative sends personal data to a non EU recipient, wait

Read the article