August 09, 2022

Data Transfers from European Companies to Their Non-European Affiliates

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A-1 (EEA) → Controller A-2 (Non-EEA)

Visual Description and Implications
  • Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership or control, but are separate legal entities. Company A-1 in the EEA transfers personal data to Company A-2 in Country Q.
  • Transfer 1: SCC Module 1. A cross-border transfer from Company A-1 in the EEA to Company A-2 in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.
  • Subsequent Onward Transfers from Company A-2. Note that if Company A-2 makes any additional onward transfers, the appropriate module of the SCCs would need to be used.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A-1 and Company A-2) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company A-2) from fulfilling its obligations under the SCCs.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company A-2) to take specific steps in the event that it receives a request from a public authority for access to personal data.


ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Schedule A I-140: Fast-Track Green Card for Nurses and Physical Therapists

By Caterina Cappellari Greenberg Traurig May 26 , 2023

Most employment-based permanent residency applications require the applicant to go through the PERM labor certification process where the U.S. Department of Labor (DOL) certifies that there are not sufficient U.S. workers able, available, and qualified to fill a position.

SCOTUS to Warhol Foundation: Your Use of Previously Licensed Work Isn't Fair

By Steven J. Wadyka Jr. Greenberg Traurig May 26 , 2023

On May 18, 2023, the United States Supreme Court issued its long-awaited decision in Andy Warhol Foundation for the Visual Arts, Inc. v. Goldsmith, a case that presented the Court with an opportunity to bring clarity to the often highly subjective standards lower courts apply when deciding the issue of fair use of visual works of art under copyright law.

Supreme Court Issues Decision Sharply Limiting Clean Water Act Jurisdiction over Wetlands

By Bernadette M. Rappold Greenberg Traurig May 26 , 2023

Sometimes the most monumental Supreme Court decisions spring from the most modest facts.

More From Cybersecurity

Processing Sensitive Personal Information under U.S. State Privacy Laws

By Zachary S. Schapiro Greenberg Traurig May 23 , 2023

As of now, nine states (CA, CO, CT, IA, IN, MT, TN, UT, and VA) have passed comprehensive privacy laws that are in effect (CA and VA), or are about to go into effect sometime soon (CO, CT, IA, IN, MT, TN, and UT).

Labor Department Releases New Guidance on Agency Enforcement of PUMP for Nursing Mothers Act

By Patricia Anderson Pryor Jackson Lewis P.C. May 19 , 2023

The U.S. Department of Labor Wage and Hour Division (WHD) has published guidance for agency officials responsible for enforcing the “pump at work” provisions of the Fair Labor Standards Act (FLSA), including those enacted under the 2022 Providing Urgent Maternal Protections for Nursing Mothers Act (PUMP Act).

Finding the Delta: Understanding the Differences in How State Privacy Laws Define Corporate Affiliates

By David A. Zetoony Greenberg Traurig May 15 , 2023

All modern privacy statutes regulate when personal information can be shared with third parties, whether those third parties are service providers, vendors, contractors, or business partners.

Featured Stories