The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA)  → Controller B (EEA) → Controller C (Non-EEA)

Description and Implications

• Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to Company C in Country Q.

• Transfer 1: No Mechanism Needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.

• Transfer 2: SCC Module 1. A cross-border transfer from Company B in the EEA to Company C in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.

• Subsequent Onward Transfers from Company C. Note that if Company C makes any additional onward transfers, the appropriate module of the SCCs would need to be used.

• Transfer Impact Assessments. Clause 14 of the SCC requires Company B and Company C to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company C) from fulfilling its obligations under the SCCs.

• Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company C) to take specific steps in the event that it receives a request from a public authority for access to personal data.