Keypoint: The EDPB takes the position that geographical boundaries – and not GDPR’s jurisdictional reach – govern the restricted transfer determination.
On November 19, 2021, the European Data Protection Board (EDPB) published draft guidelines on the interplay between the application of GDPR Article 3 and its provisions on international transfers in Chapter V.
The draft guidelines answer the question of whether a transfer of personal data occurs when the data leaves GDPR’s jurisdictional scope or when it leaves the European Union’s geographic scope. The draft guidelines also provide three criteria and a number of illustrative examples to guide controllers and processors to identify restricted transfers.
Restricted transfers are of heightened focus in light of the Court of Justice of the European Union’s decision in Schrems II, the European Commission’s issuance of new standard contractual clauses, and the EDPB’s recommendations on supplementary measures for cross-border data transfers. The guidelines – once finalized – will provide entities with further guidance on how to navigate this complex legal issue.
The draft guidelines will be open to public comment until the end of January.
Below is a summary.