SHARE

September 12, 2022

Data Subject (EEA) → Processor Z (non-EEA) → Processor Y (non-EEA)

You've Reached Your
Free Article Limit This Month
Register for free to get unlimited access to all Law.com OnPractice content.
Register Now

The following is part of Greenberg Traurig's ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Background. Company A retains Company Z in Country Q to process personal data (e.g., collect personal data from data subjects). Company A instructs Company Z to transmit the personal data to Company Y, which is a second processor in Country Q. There are two general strategies for how the transfer could be structured.

Option 1

  • Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject "cannot be considered a controller or processor"[i] and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[ii] As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z.  However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA - that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q.
  • Transfer 3: Possible use of SCC Module 3. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers "in the same [non-EEA] country" should also utilize a safeguard mechanism such as the SCCs.[iii] In this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The former structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company Z, is a sub-processor of Company Z, and/or takes instruction directly from Company Z.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.

Option 2

  • Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject "cannot be considered a controller or processor"[iv] and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[v] As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z. However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA - that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q.
  • Transfer 3 and Transfer 4: Possible use of SCC Module 2. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers "in the same [non-EEA] country" should also utilize a safeguard mechanism such as the SCCs.[vi] In this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The latter structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company A, is a direct processor of Company A, and/or takes instruction directly from Company A.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.

[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[ii] The transfer of data from Europe to the United States arguably constitutes "processing" by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a "natural person in the course of a purely personal or household activity."  GDPR, Art. 2(2)(c).

[iii] See New SCC Module 1 at 8.7. The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that "any transfer of personal data . . . after transfer to a third country" must take place pursuant to the restrictions in Chapter V of the GDPR.

[iv] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[v] The transfer of data from Europe to the United States arguably constitutes "processing" by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a "natural person in the course of a purely personal or household activity."  GDPR, Art. 2(2)(c).

[vi] See New SCC Module 1 at 8.7.  The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that "any transfer of personal data . . . after transfer to a third country" must take place pursuant to the restrictions in Chapter V of the GDPR.

ALM expressly disclaims any express or implied warranty regarding the OnPractice Content, including any implied warranty that the OnPractice Content is accurate, has been corrected or is otherwise free from errors.

More From Greenberg Traurig

Dutch Presented Tax Measures for 2023

By Thomas van der Vliet Greenberg Traurig September 21 , 2022

On Budget Day, 20 September 2022 (Prinsjesdag), the Dutch Ministry of Finance presented its 2023 tax plan (the Proposal). For the proposed bills discussed in this GT Alert to have effect, Parliament first must approve them.

Commerce Issues Final Rule on AD/CVD Grace Period

By Laura Siegel Rabinowitz Greenberg Traurig September 20 , 2022

The Department of Commerce (DOC) has issued the final rule implementing the two-year moratorium on anti-dumping or countervailing duties (AD/CVD) for solar panels and cells from Cambodia, Malaysia, Thailand, and Vietnam in accordance with the June 6, 2022, Presidential Proclamation (Declaration of Emergency and Authorization for Temporary Extensions of Time and Duty-Free Importation of Solar Cells and Modules from Southeast Asia; See GT Alert, Biden Uses Emergency Powers to Pause New Solar Import Tariffs—Frequently Asked Questions), which provided for the two year moratorium on those tariffs.

The Tide May Be Turning on Flood of ERISA Excessive Fee Class Actions

By Jeffrey D. Mamorsky Greenberg Traurig September 20 , 2022

The contours of plaintiff pleading requirements for ERISA fiduciary breach claims sketched by the Supreme Court in Hughes v. Northwestern University1 continue to evolve.

More From Privacy

Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)

By David A. Zetoony Greenberg Traurig September 09 , 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Understanding the differences in the state privacy laws: What factors must be considered by an organization when conducting a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Understanding the differences in the state privacy laws: When is an organization required to conduct a DPIA?

By David A. Zetoony Greenberg Traurig September 08 , 2022

Some modern data privacy statutes require organizations to consider and document privacy-related risks regarding certain types of processing activities.

Featured Stories
Closeclose
Search
Menu

Working...