It has been a turbulent time in the world of transfers, with organisations having to grapple with the consequences of the Schrems II decision, the supplementary measures they now need to take when using Standard Contractual Clauses (SCCS) following the publication of the European Data Protection Board’s (EDPB) recommendations, as well as the issuance by the European Commission of the latest version of the SCCs.
In the latest chapter of this saga, on 18 November 2021 the European Data Protection Board published new draft guidelines, aiming to clarify the circumstances under which a processing of personal data constitutes a transfer to a third country (i.e. a country outside the European Economic Area (EEA)) or to an international organisation. Where such a transfer takes place, an organisation then needs to comply with the transfer requirements under Chapter V of the General Data Protection Regulation (GDPR) (i.e. transfer in the context of an adequacy decision or the implementation of SSCs, Binding Corporate Rules, Codes of Conduct etc.). The draft guidelines are currently subject to a public consultation that ends on 31 January 2022.
The EDPB has identified three cumulative criteria that qualify a processing as a transfer: