HB Ad Slot
HB Mobile Ad Slot
Cross-Border Transfer Master Class: Controller (EEA)→ Controller (EEA)→ Branch Office (US)
Tuesday, January 25, 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company B is a European entity, that has a branch office in the United States (which is not a separate legal entity). While data is being directly sent from Company A in Europe to Company B’s branch office in the United States, the contract is between EEA Company A and EEA Company B. The EDPB has suggested that Company B’s branch office is not considered a controller or a processor (separate and apart from Company B itself).[1] However, the EDPB has not directly addressed a situation in which an entity sends personal information to an unincorporated office outside of the EEA. The solid line indicates the data flow; dashed line indicates the contractual relationships.

 

  • Ambiguity as to whether a mechanism is needed for transfer from Company A to Company B. The EDPB has not directly addressed this situation, as a result there are two possible interpretations of how to approach compliance.

 

    • An argument could be made that while data is being directly transmitted from Company A to Company B’s branch office in the United States, based upon the EDPB’s guidance discussed above an argument could be made that the branch office is not considered a separate controller or processor as compared to Company B in the EEA. As a result, an argument could be made that the data has not been transmitted to a controller that is located in the United States. Note that Company B would be directly subject to the GDPR, and, as a result, data received should be subject to all GDPR requirements even in the absence of a SCC.

 

  • An argument could also be made that because data is being transmitted from one controller (Controller A) to a second controller’s agents who are physically located outside of the EEA, the parties could enter into the SCC Module 1 wherein Company B would sign as the “data importer” listed the United States as a country in which processing will occur.

 

  • Transfer Impact Assessments. A formal transfer impact assessment is not required by contract if neither Company A nor Company B signed SCCs. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[2] As a result, Company A and/or Company B might consider conducting a TIA to analyze various risks that may result from the transmission of data (with respect to Company A) and/or the retention of data in a third country (with respect to Company B).

Law enforcement request policy. If no SCCs are signed, neither Company A nor Company B would be directly subject to Section 15 of the SCCs that require specific steps in the event that a company receives a request from a public authority for access to personal data. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[3] As a result, Company B might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests from the United States.

FOOTNOTES

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 15 and 16.

[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

[3] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

HTML Embed Code
HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins