The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
|
- Background. Company B is a European entity, that has a branch office in the United States (which is not a separate legal entity). While data is being directly sent from Company A in Europe to Company B’s branch office in the United States, the contract is between EEA Company A and EEA Company B. The EDPB has suggested that Company B’s branch office is not considered a controller or a processor (separate and apart from Company B itself).[1] However, the EDPB has not directly addressed a situation in which an entity sends personal information to an unincorporated office outside of the EEA. The solid line indicates the data flow; dashed line indicates the contractual relationships.
- Ambiguity as to whether a mechanism is needed for transfer from Company A to Company B. The EDPB has not directly addressed this situation, as a result there are two possible interpretations of how to approach compliance.
-
- An argument could be made that while data is being directly transmitted from Company A to Company B’s branch office in the United States, based upon the EDPB’s guidance discussed above an argument could be made that the branch office is not considered a separate controller or processor as compared to Company B in the EEA. As a result, an argument could be made that the data has not been transmitted to a controller that is located in the United States. Note that Company B would be directly subject to the GDPR, and, as a result, data received should be subject to all GDPR requirements even in the absence of a SCC.
- An argument could also be made that because data is being transmitted from one controller (Controller A) to a second controller’s agents who are physically located outside of the EEA, the parties could enter into the SCC Module 1 wherein Company B would sign as the “data importer” listed the United States as a country in which processing will occur.
- Transfer Impact Assessments. A formal transfer impact assessment is not required by contract if neither Company A nor Company B signed SCCs. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[2] As a result, Company A and/or Company B might consider conducting a TIA to analyze various risks that may result from the transmission of data (with respect to Company A) and/or the retention of data in a third country (with respect to Company B).
Law enforcement request policy. If no SCCs are signed, neither Company A nor Company B would be directly subject to Section 15 of the SCCs that require specific steps in the event that a company receives a request from a public authority for access to personal data. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[3] As a result, Company B might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests from the United States.
|
FOOTNOTES
[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 15 and 16.
[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.
[3] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.