SHARE

August 09, 2022

Data Transfers from European Companies to Their Non-European Affiliates

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A-1 (EEA) → Controller A-2 (Non-EEA)

Visual Description and Implications
  • Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership or control, but are separate legal entities. Company A-1 in the EEA transfers personal data to Company A-2 in Country Q.
  • Transfer 1: SCC Module 1. A cross-border transfer from Company A-1 in the EEA to Company A-2 in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.
  • Subsequent Onward Transfers from Company A-2. Note that if Company A-2 makes any additional onward transfers, the appropriate module of the SCCs would need to be used.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A-1 and Company A-2) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company A-2) from fulfilling its obligations under the SCCs.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company A-2) to take specific steps in the event that it receives a request from a public authority for access to personal data.

 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

FINRA Targeting Crypto Asset Retail Communications

By William B. Mack Greenberg Traurig November 22 , 2022

The Financial Industry Regulatory Authority (FINRA) in November 2022 released a targeted exam letter pertaining to communications for crypto products and services.

New York State Cannabis Control Board Releases Proposed Adult-Use Regulations

By Lynelle K. Bosworth Greenberg Traurig November 22 , 2022

On Nov. 21, 2022, the New York State Cannabis Control Board (CCB) approved draft regulations governing the Adult-Use Cannabis program.

More From Cybersecurity

Can a business require a consumer to submit a declaration under penalty of perjury in order to prove their identity?

By David A. Zetoony Greenberg Traurig November 22 , 2022

The regulations implementing the CCPA require that a business verify the identity of a consumer that submits a specific-information access request to a “reasonably high degree of certainty.”

What is the difference between a category-level access request and a specific-information access request?

By David A. Zetoony Greenberg Traurig November 21 , 2022

The CCPA and its implementing regulations identify six types of information requests that a consumer can submit to a business.

CPRA's effective date is around the corner… but how many businesses actually updated their privacy policies the first time for the CCPA?

By David A. Zetoony Greenberg Traurig November 18 , 2022

In order to help businesses understand and benchmark industry practice, Greenberg Traurig attorneys analyzed the publicly available privacy policies of companies within the Fortune 500.

Featured Stories
Closeclose
Search
Menu

Working...