The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Data Subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)
Visual |
Description and Implications |
Background. Company A retains Company Z-2 (EEA) to collect personal data from data subjects on its behalf. Company Z-2 utilizes its affiliate in Country Q as a sub-processor to collect the personal data. In this scenario the data subject is physically transferring personal information to the sub-processor that is not in the EEA, but that sub-processor is acting at the instruction of the processor, and ultimately the controller, that is in the EEA. There are three strategies for how the transfer could be structured. |
Option 1 |
|
- Transfer 1: No Mechanism Needed. The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[i] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[ii] As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1.
- Transfer 2: No Mechanism Needed. The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
|
Option 2 |
|
- Transfer 1: Possible use of SCC Module 3. The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[iii] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[iv] As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1. At the same time, because Company Z-1 is ultimately working on behalf, and at the direction of, Company Z-2, an argument could be made that the data subject is not making the decision to transfer personal data outside of the EEA – that decision has been made by Company Z-2 (acting at the instruction of Company A). Based upon that rationale, Company Z-2 might consider entering into a Standard Contractual Clause Module 3 wherein it considers itself constructively exporting personal data from the EEA to its sub-processor in Country Q.
- Transfer 2: No Mechanism. The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
|
Option 3 |
|
- Transfer 1: Possible use of SCC Module 2. The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[v] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[vi] As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1. At the same time, because Company Z-1 is ultimately working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to transfer personal data outside of the EEA – that decision has been made by Company A. Based upon that rationale, Company A might consider entering into a Standard Contractual Clause Module 2 wherein it considers itself constructively exporting personal data from the EEA to its processor in Country Q.
- Transfer 2: No Mechanism. The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
|
FOOTNOTES
[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).
[iii] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[iv] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).
[v] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[vi] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).