SHARE

September 09, 2022

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
  • Background. Company A transmits personal data to its processor Company Z, and then instructs its processor to onward transfer the personal data to Company B - a separate controller.
  • Transfer 1: Art. 28 DPA. As personal data has not left the EEA, an adequacy measure is not required. The parties should enter into an agreement that complies with Article 28 of the GDPR as Company Z is acting as a processor to Company A.
  • Transfer 2: No mechanism available. Although the SCC Module 4 is designed for transfers from processors to controllers, it cannot be used in this situation as Clause 8.1(a) of that SCC states that the data exporter (Company Z) must be acting on the instructions of the data importer (Company B). In this scenario, the data exporter is acting on the instructions of Company A (which is not the data importer). As a result, Company Z could not utilize the SCC Module 4.
  • Transfer 3: SCC Module 1. Although the data is being triangulated through Company Z, the only available contractual mechanism is for Company A to enter into a SCC Module 1 with Company B.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires Company A and Company B to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company B) from fulfilling its obligations under the SCCs.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company B) to take specific steps in the event that it receives a request from a public authority for access to personal data.

 

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Dutch Presented Tax Measures for 2023

By Thomas van der Vliet Greenberg Traurig September 21 , 2022

On Budget Day, 20 September 2022 (Prinsjesdag), the Dutch Ministry of Finance presented its 2023 tax plan (the Proposal). For the proposed bills discussed in this GT Alert to have effect, Parliament first must approve them.

Commerce Issues Final Rule on AD/CVD Grace Period

By Laura Siegel Rabinowitz Greenberg Traurig September 20 , 2022

The Department of Commerce (DOC) has issued the final rule implementing the two-year moratorium on anti-dumping or countervailing duties (AD/CVD) for solar panels and cells from Cambodia, Malaysia, Thailand, and Vietnam in accordance with the June 6, 2022, Presidential Proclamation (Declaration of Emergency and Authorization for Temporary Extensions of Time and Duty-Free Importation of Solar Cells and Modules from Southeast Asia; See GT Alert, Biden Uses Emergency Powers to Pause New Solar Import Tariffs—Frequently Asked Questions), which provided for the two year moratorium on those tariffs.

The Tide May Be Turning on Flood of ERISA Excessive Fee Class Actions

By Jeffrey D. Mamorsky Greenberg Traurig September 20 , 2022

The contours of plaintiff pleading requirements for ERISA fiduciary breach claims sketched by the Supreme Court in Hughes v. Northwestern University1 continue to evolve.

More From Privacy

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

By David A. Zetoony Greenberg Traurig September 12 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...