On 18 November 2021, the European Data Protection Board (“EDPB”) adopted new guidelines which:
- Set out a three part criteria for identifying whether an action will be considered an international transfer of personal data; and
- Clarify that restrictions on international data transfers do apply to transfers to entities located in a third country, but which are subject to the GDPR under its extraterritorial scope.
Businesses will welcome the clarity on which activities are considered international data transfers, particularly the EDPB’s guidance on the use of EU personal data by employees travelling abroad, the direct collection of personal data from individuals located in the EU by foreign businesses and the transfers of non-EU personal data to and from EU based service providers (more details below). However, the guidance confirms that organisations may be required to implement additional tools to ensure that these transfers are adequately protected, even where the recipient is subject to the GDPR.