International Data Transfers – exemption for employees travelling on business
Monday, 22 May 2023On 14 February 2023, the European Data Protection Board (EDPB) formally adopted Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR (available here and please see our previous publication on the draft guidelines available here).
The guidelines confirm that where an employee of a business within the EEA travels abroad to a third country, for example, on a business trip, and the employee receives or remotely accesses personal data from within the EEA while in the third country, the data transfer is not viewed as a ‘restricted transfer’ for the purposes of Chapter V of the GDPR and therefore, does not require the employee and the business to enter into an ‘appropriate safeguard’ i.e. Standard Contractual Clauses (SCCs) to legitimate this transfer.
It should be noted, however, that this position relates only to employees of a business and the guidelines remain silent as to whether access to personal data by a contractor from a third country amounts to a ‘transfer’ for the purposes of Chapter V of the GDPR. In the absence of any confirmation on this point, it is best to assume that a business and contractor will be viewed as separate entities and that SCCs should be put in place prior to any data transfer between the business and the contractor from a third country (as well as conducting a ‘transfer impact assessment’ to document the specific circumstances of the transfer and the laws in the country of destination and adopting supplementary measures, as required).
The guidelines caution, however, that although the example above may not qualify as a transfer to a third country subject to Chapter V of the GDPR, controllers and processors remain accountable under the GDPR for their processing activities (including any difficulties posed by conflicting national laws or government access in a third country or with enforcing or obtaining redress against entities outside the EU), regardless of where they take place. For example, controllers and processors should be mindful of continuing obligations in relation to security of processing and the need to implement appropriate technical and organisational measures under Article 32 of the GDPR as well as the requirement to carry out a data protection impact assessment where the processing poses a high risk to the rights and freedoms of individuals.
The final version of the guidelines also confirms that where businesses form part of the same corporate group and qualify as separate controllers or processors, data flows from one group entity (e.g. a parent or subsidiary) to another located in a third country (i.e. intra-group data disclosures) will constitute transfers of personal data and will require the entities within the corporate group to enter into an ‘appropriate safeguard’ to legitimate any intra-group transfers of personal data (i.e. SCCs, Binding Corporate Rules etc. are required).
For further information, please contact Seán O’Donnell, Zelda Deasy, Kelly Mackey, Barrie Scott or any member of our Data Protection/GDPR Team.