Which of the following statements is inconsistent with the EDPB's position on qualifying a given processing as a “transfer” under Chapter V of the GDPR?
A.
Transfers subject to the GDPR can only occur when two separate parties – each of them a controller, joint controller or processor – are involved.
B.
Transfers subject to the GDPR may involve data disclosures between entities belonging to the same corporate group (intra-group data disclosures).
C.
Transfers subject to the GDPR may involve remote access of personal data from a third country during a business trip of an employee of the controller for the given processing.
D.
Transfers in which a controller or processor makes personal data available to another controller, joint controller, or processor needs to be subject to the GDPR for the given processing.
见 Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR. Example 8,George, employee of A, a company based in Poland, travels to a third country for a meeting bringing his laptop. During his stay abroad, George turns on his computer and accesses remotely personal data on his company’s databases to finish a memo. This bringing of the laptop and remote access of personal data from a third country, does not qualify as a transfer of personal data, since George is not another controller, but an employee, and thus an integral part of the controller.
C is inconsistent with the EDPB's position because remote access to data by an employee while traveling abroad does not qualify as a "transfer" under the GDPR. The EDPB has clarified that accessing personal data from outside the EU or EEA does not automatically constitute a transfer, unless there is an actual disclosure of personal data to a third country. In this case, merely accessing the data remotely by an employee of the controller during a business trip does not trigger the same conditions as a data transfer.
A- This statement is incorrect because transfers under Chapter V of the GDPR do not necessarily require two separate parties. A transfer can involve data disclosures between entities within the same corporate group (intra-group data disclosures) and can also include situations where remote access to data from a third country is involved, such as during a business trip. The key factor is that the data is transferred to a third country, and the GDPR’s requirements for transfers apply in these contexts to ensure adequate protection of personal data.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Janevol
2 weeks, 3 days ago72d0a83
2 months agoXL_165
2 months agoSsourav
6 months ago7f814c6
6 months, 2 weeks agoClaire0911
1 year, 3 months ago