Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA
You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Controller A (EEA) → Controller B (EEA) → Processor Z (Non-EEA)
||Description and Implications
- Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to its processor, Company Z, in Country Q.
- Transfer 1. No mechanism needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.
- Transfer 2. SCC Module 2. The transfer from Company B to Company Z should utilize the SCC Module 2 designed for transfers from controllers in the EEA to processors that are located outside of the EEA.
- Transfer Impact Assessments. Clause 14 of the SCCs would require that Company B and Company Z document a transfer impact assessment of the laws of Country Q to determine if they prevent Company Z from fulfilling its obligations under the SCCs.
- Law enforcement request policy. Clause 15 of the SCCs requires Company Z to take specific steps in the event that it receives a request from a public authority for access to personal data. As a result, Company Z might consider creating a law enforcement request policy for handling requests from public authorities.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.