August 03, 2022

Data transfers from a European controller to a second European controller to a non-European controller

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA)  → Controller B (EEA) → Controller C (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to Company C in Country Q.
  • Transfer 1: No Mechanism Needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.
  • Transfer 2: SCC Module 1. A cross-border transfer from Company B in the EEA to Company C in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.
  • Subsequent Onward Transfers from Company C. Note that if Company C makes any additional onward transfers, the appropriate module of the SCCs would need to be used.
  • Transfer Impact Assessments. Clause 14 of the SCC requires Company B and Company C to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company C) from fulfilling its obligations under the SCCs.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company C) to take specific steps in the event that it receives a request from a public authority for access to personal data.


ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Proposed UCC Amendments to Article 12 Shed New Light on Transacting and Securing Interests in Digital Assets

By John B. Hutton III Greenberg Traurig December 07 , 2022

As we know it, the emerging practice of transacting in digital assets has developed into a mainstream fragment of the financial market ecosystem.

Certain Ukrainian and Afghan Parolees Employment Authorized Incident to Parole

By Linnea Porter Greenberg Traurig December 07 , 2022

Effective Nov. 21, 2022, USCIS announced that certain Afghan and Ukrainian beneficiaries paroled into the United States are employment authorized incident to parole.

Trade Secret Law Evolution Podcast Episode 51: The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict

By Jordan D. Grotzinger Greenberg Traurig December 02 , 2022

You are invited to listen to Episode 51 of Greenberg Traurig’s Trade Secret Law Evolution Podcast, "The Sixth Circuit Analyzes Key Concepts in Trade Secret Law in Affirming Major Jury Verdict."

More From Cybersecurity

Deadline: 'Old' Standard Contractual Clauses (SCCs) Expire Dec. 27, 2022

By Dr. Viola Bensinger Greenberg Traurig December 02 , 2022

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA).

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

Featured Stories