EDPB adopts Guidelines on the interplay between Art. 3 and Chapter V GDPR, Statement on Digital and Data Strategy & appointment of EDPB representatives to TFTP Joint Review

During its plenary session, the EDPB adopted Guidelines on the interplay between Art. 3 and Chapter V GDPR. By clarifying the interplay between the territorial scope of the GDPR (Art. 3) and the provisions on international transfers in Chapter V, the Guidelines aim to assist controllers and processors in the EU in identifying whether a processing operation constitutes an international transfer, and to provide a common understanding of the concept of international transfers.

The Guidelines specify three cumulative criteria that qualify a processing as a transfer: (1) the data exporter (a controller or processor) is subject to the GDPR for the given processing; (2) the data exporter transmits or makes available the personal data to the data importer (another controller, joint controller or processor); (3) the data importer is in a third country or is an international organisation.

The processing will be considered a transfer, regardless of whether the importer established in a third country is already subject to the GDPR under Art. 3 GDPR. However, the EDPB considers that collection of data directly from data subjects in the EU at their own initiative does not constitute a transfer.

EDPB Chair Andrea Jelinek added: “These Guidelines provide a consistent interpretation of the concept of “international transfers” and clarify that, when a data importer is subject to the GDPR, the obligations under Chapter V GDPR apply both to the transfer from the EU to the importer and to any further transfer that the importer undertakes”.

The Guidelines will be subject to public consultation until the end of January.

The EDPB adopted a Statement on the European Commission’s Digital Services Package and Data Strategy. In the statement, the EDPB highlights three types of overarching concerns regarding the Commission proposals that have been presented so far (the Data Governance Act (DGA), Digital Services Act (DSA) and Digital Markets Act (DMA) and the AI Regulation (AIR)):

1) Lack of protection of individuals’ fundamental rights and freedoms;

2) Fragmented supervision;

3) Risks of inconsistencies.

The EDPB and EDPS have already issued joint opinions on the DGA and the AIR and the EDPS has issued opinions on the European Strategy for Data, the DMA and the DSA. In its statement, the EDPB reiterates its call for a ban on any use of AI for an automated recognition of human features in publicly accessible spaces and urges the co-legislator to consider a phase-out leading to a prohibition of targeted advertising on the basis of pervasive tracking while the profiling of children should overall be prohibited.

The EDPB further highlights the risks of parallel supervision structures and strongly recommends each proposal to provide for an explicit legal basis for the effective cooperation and exchange of information between the competent supervisory authorities under each proposal and the data protection authorities.

In addition, the EDPB calls upon the Commission and the co-legislator to ensure that the proposals clearly state that they shall not affect or undermine the application of existing data protection rules and to ensure that these rules shall prevail whenever personal data are being processed, also in the context of the forthcoming proposal for a Data Act.

Finally, the EDPB nominated two representatives from the Belgian and Hessen (DE) SA to take part in the 6th Joint Review of the EU-US Terrorist Finance Tracking Program (TFTP) Agreement.