Defining personal data transfers for the context of the General Data Protection Regulation

A critical perspective on the Guidelines 5/2021 of the European Data Protection Board

• Laura Drechsler

On 18 November 2021, the European Data Protection Board (EDPB) published a piece of guidance that was supposed to clarify one of the ultimate mysteries of the General Data Protection Regulation (GDPR), namely the definition of international personal data transfers. The EDPB does clarify that for the assessment of an act as a transfer, the actors involved are important, thus it is only a transfer if data are exchanged between a (joint) controller or processor within the EU and a (joint) controller or processor outside of it. It however fails to specify which processing acts qualify as such an exchange of personal data and especially whether there is a need for either knowledge or intention on the side of the transferring (joint) controller or processor. Moreover, the approach proposed by the EDPB leads to a number of questions when it comes to the protection of the fundamental rights of data subjects, notably with regards to transparency of transfers, enforcement via representatives, and access by public authorities in third countries. The analysis presented in this paper summarizes the guidance given by the EDPB and outlines which questions on transfers remain open, especially from the perspective of the data subject.