The flow of personal data to third countries (i.e., non-EU/EEA) has been regulated by Directive 95/46/EC in order to prevent the transfer from thwarting the safeguards and rights that EU law provides for the protection of data subjects. The GDPR, in addition to this scenario, also raises the different profile of processing involving more than one member state, while remaining within the territories of the Union.
On cross-border processing, the WPArt29 had already pronounced itself and now the EDPB intervenes with Guidelines 08/2022, supplementing its precedents.
Data transfers to third countries and cross-border processing
During the existence of Directive 95/46/EC, the issue of cross-border personal data flows has essentially concerned the case of those transfers whose importer is a country outside the EU or EEA. The circumstance raises the need to verify whether the destination country has protection measures and safeguards in place equivalent to those in place in the Union to protect personal data and data subjects; so that the transposition of information under the aegis of another jurisdiction, would not come to nullify the EU safeguards on data protection. Without the EU Commission’s decision of adequacy, or in the absence of other instruments recognized by the legislator as equivalent, or in the absence of derogatory circumstances deemed to have priority, the transfer of personal data outside the EU is prohibited.
The GDPR has introduced a new dimension to the phenomenon of data flows, the infra-EU dimension, i.e., when processing crosses member state borders but still remains within the EU/EEA. In this case, the data flow is unrestricted and the GDPR offers the data controller or data processor the opportunity to interact with a single supervisory authority for related compliance, regardless of which and how many member states are involved in the processing in question (so-called “one stop shop” mechanism). Consequently, in these contexts, it is important for the controller or processor to determine precisely which is the lead supervisory authority.
The WPArt29 had initially issued its own guidelines for identifying the lead supervisory authority in the case of cross-border flows of personal data within the Union (wp244) later amended and adopted in April 2017 (wp244 rev.01) and, subsequently, endorsed by the EDPB at its first plenary meeting in May 2018.