The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Controller A (EEA) → Controller B (EEA) → Controller C (Non-EEA)
||Description and Implications
- Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to Company C in Country Q.
- Transfer 1: No Mechanism Needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.
- Transfer 2: SCC Module 1. A cross-border transfer from Company B in the EEA to Company C in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.
- Subsequent Onward Transfers from Company C. Note that if Company C makes any additional onward transfers, the appropriate module of the SCCs would need to be used.
- Transfer Impact Assessments. Clause 14 of the SCC requires Company B and Company C to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company C) from fulfilling its obligations under the SCCs.
- Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company C) to take specific steps in the event that it receives a request from a public authority for access to personal data.
ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.