At long last we have the definitive answer to a question that has probably been raised at just about every GDPR training session since 2016:
If an employee of an EEA-established company travels abroad, and then accesses company personal data records on their laptop from a country outside the EEA, has there been an overseas transfer of that personal data?
Heady stuff indeed and views have often differed because, whilst Article 44 GDPR refers very clearly to the notion of a “transfer of personal data to a third country or to an international organisation”, it doesn’t go into much detail. Or in fact any further detail.
So, how do we know if there’s been a transfer of personal data such that the whole of Chapter V GDPR has to be taken into account? You know, Chapter V. The requirement that the data importer has signed up to Standard Contractual Clauses or Binding Corporate Rules or some approved Certification mechanism or even that its home jurisdiction has an adequacy ruling from the European Commission as regards its national data protection laws. (For anyone who missed it, by the way, the UK received an adequacy ruling in June 2021, albeit the ruling was limited to 4 years initially so we’ll need to keep an eye on developments.)
Much like the requirement to maintain “accurate” records (to give just one of many possible examples), the devil of the detail of what amounts to a “transfer” was always intended to be worked out over the early months and years of GDPR’s implementation.
For that purpose, the European Data Protection Board (EDPB) was established to liaise with industry and other stakeholders to develop guidelines. The latest draft guidelines were published in late November 2021 and are currently open to public consultation.
So what do they have to say about overseas transfers of personal data? Well, it’s this: there are three cumulative criteria which must be met for any processing of personal data to constitute an overseas transfer, as follows:
(1) A controller or a processor is subject to the GDPR for the given processing.
(2) This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
(3) The importer is in a third country or is an international organisation, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing.
What this means is that, it’s not enough that the data is sent to or accessed from an overseas country, it must also be sent or made available by one party (who isn’t the actual data subject) and received or accessed by another party.
So the answer to the question is that there’s no overseas transfer if the employee accesses their own company’s personal data records from their laptop in a non-EEA company. They must nevertheless continue to adopt adequate safeguarding measures so making use of an open public network would be a definite no-no.
Of course, the situation changes if an employee of another company based in that overseas country is in the room, looking at the screen at the same time. The draft guidelines are silent on this point.
The full guidelines with feedback form are available at https://edpb.europa.eu/edpb_en and the public consultation closes on 31st January 2022. Don’t all rush.