August 02, 2022

Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Controller B (EEA) → Processor Z (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to its processor, Company Z, in Country Q.
  • Transfer 1. No mechanism needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.
  • Transfer 2. SCC Module 2. The transfer from Company B to Company Z should utilize the SCC Module 2 designed for transfers from controllers in the EEA to processors that are located outside of the EEA.
  • Transfer Impact Assessments. Clause 14 of the SCCs would require that Company B and Company Z document a transfer impact assessment of the laws of Country Q to determine if they prevent Company Z from fulfilling its obligations under the SCCs.
  • Law enforcement request policy. Clause 15 of the SCCs requires Company Z to take specific steps in the event that it receives a request from a public authority for access to personal data. As a result, Company Z might consider creating a law enforcement request policy for handling requests from public authorities.


ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

CFPB Says 'Show Me The (Consumer Unfriendly) Fine Print'

By Timothy A. Butler Greenberg Traurig January 25 , 2023

On Jan. 11, the Consumer Financial Protection Bureau (CFPB) released a proposed rule that would require certain nonbank financial companies subject to its supervisory jurisdiction to submit annual reports about their use of terms and conditions that attempt to waive or limit consumer rights and protections.

FINRA Files Amendments to Proposed Rule Change That Will Allow Remote Inspections

By William B. Mack Greenberg Traurig January 25 , 2023

Last summer, the Financial Regulatory Authority (FINRA) proposed a rule change to its supervision rule (FINRA Rule 3110) to allow member firms to conduct remote inspections of some or all branch offices and locations.

5 Trends to Watch: 2023 Venture Capital

By Chinh H. Pham Greenberg Traurig January 20 , 2023

The current macroeconomic environment, coupled with record increases in valuations over the last several years, is creating an increase in down-rounds, re-pricings, and recapitalizations.

More From Cybersecurity

5 Trends to Watch: 2023 Hospitality

By Samantha Ahuja Greenberg Traurig January 18 , 2023

For many hotels, the pandemic exacerbated the challenges of finding enough qualified workers to fill jobs.

Cookies and Other Tracking Technologies May Violate HIPAA

By Karin E. Ross Greenberg Traurig January 18 , 2023

In the midst of significant privacy changes in many U.S. states affecting tracking technologies such as cookies, pixels, and adtech, new lawsuits are alleging entities violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) via impermissible disclosure of protected health information due to the use of these technologies.

10 Issues to Watch in the New Congress

By Robert Mangas Greenberg Traurig January 17 , 2023

The split party control in the U.S. Senate and House of Representatives will require bipartisanship to produce successful legislation over the next two years.

Featured Stories