SHARE

July 13, 2022

Data Transfers from Data Subjects in the EEA to non-EEA Processors of EEA Controllers

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

 

Controller A (Non-EEA) → Processor Z (Non-EEA) → Sub-processor Y (EEA) → Controller A (Non-EEA) (same country)

Visual Description and Implications
  • Transfer 1: No mechanism needed.  Company A is not required under the GDPR to put safeguards in place to transfer information to a processor that is also located in Country Q.
  • Transfer 2: No mechanism needed.  Company Z is not required under the GDPR to put in place a transfer mechanism when it transmits (exports) personal data to the EEA. Note that it is possible that the laws of Country Q independently require a transfer mechanism, however, in many jurisdictions (e.g., the United States) there is no such requirement.
  • Transfer 3: SCC Module 4.  Article 46 of the GDPR requires that a processor that transfers personal data outside of the EEA to a non-adequate country must utilize a safeguard. The EDPB has confirmed that this requirement applies when an EEA processor (Company Y) sends data to a non-EEA controller (Company A).[1]
  • Subsequent Onward Transfers from Company A do not require safeguards.  Note that if Company A sends data that it received from Company Y to subsequent controllers or processors it is typically not required to put a transfer mechanism in place.
  • Transfer Impact Assessments.  Section 14 of SCC Module 4 does not typically require Company Y or Company A to conduct a transfer impact assessment (TIA) of the laws of Country Q. Note, however, that a TIA would be required if Company Y combined the personal data that it received from Company Z with its own personal data (e.g., did a data enhancement or a data append).
  • Law enforcement request policy.  Section 15 of SCC Module 4 does not typically require that Company A takes specific steps in the event that it receives a request from a public authority for access to personal data. Note, however, that a law enforcement policy might be warranted if Company Y combined the personal data that it received from Company Z with its own personal data (e.g., did a data enhancement or a data append).

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 13.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Dutch Presented Tax Measures for 2023

By Thomas van der Vliet Greenberg Traurig September 21 , 2022

On Budget Day, 20 September 2022 (Prinsjesdag), the Dutch Ministry of Finance presented its 2023 tax plan (the Proposal). For the proposed bills discussed in this GT Alert to have effect, Parliament first must approve them.

Commerce Issues Final Rule on AD/CVD Grace Period

By Laura Siegel Rabinowitz Greenberg Traurig September 20 , 2022

The Department of Commerce (DOC) has issued the final rule implementing the two-year moratorium on anti-dumping or countervailing duties (AD/CVD) for solar panels and cells from Cambodia, Malaysia, Thailand, and Vietnam in accordance with the June 6, 2022, Presidential Proclamation (Declaration of Emergency and Authorization for Temporary Extensions of Time and Duty-Free Importation of Solar Cells and Modules from Southeast Asia; See GT Alert, Biden Uses Emergency Powers to Pause New Solar Import Tariffs—Frequently Asked Questions), which provided for the two year moratorium on those tariffs.

The Tide May Be Turning on Flood of ERISA Excessive Fee Class Actions

By Jeffrey D. Mamorsky Greenberg Traurig September 20 , 2022

The contours of plaintiff pleading requirements for ERISA fiduciary breach claims sketched by the Supreme Court in Hughes v. Northwestern University1 continue to evolve.

More From Privacy

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

By David A. Zetoony Greenberg Traurig September 12 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

By David A. Zetoony Greenberg Traurig September 09 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...