Transfers from EEA Controller to non-EEA Processor

David A. Zetoony

Email

303.685.7425

Bio and Articles

Carsten Kociok

Email

490-30700-171119

Bio and Articles

Andrea Maciejewski

Email

+1 303.572.6500

Bio and Articles

Find Your Next Job !

Chief Operating Officer / Business Manager
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Litigation Paralegal
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Explore More Job Openings

Transfers from EEA Controller to non-EEA Processor: Controller A (EEA) → Processor Z-1 (US), Processor Z-2 (Non-EEA), Processor Z-3 (Non-EEA), etc.

by: David A. Zetoony, Carsten Kociok, Andrea Maciejewski of Greenberg Traurig, LLP - Data Privacy Dish

Wednesday, March 2, 2022

Print Mail Download info_icon_img

/>i

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.

Overview of situation. Company A in the EEA retains Company Z-1 in the US to process personal data. Company Z-1 intends to transmit the personal data to corporate affiliates in other countries throughout the world that are also not considered to have adequate data protection laws (i.e., Company Z-2 and Company Z-3). There are two main strategies for how the transfer could be structured.

Option 1

Visual

Summary

1st Transfer: SCC Module 2. The initial cross-border transfer from EEA to the United States could utilize the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).
2nd and 3rd Transfers: SCC Module 3. Pursuant to Section 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). While these could take the form of two separate documents, they might also take the form of a single intragroup agreement that incorporates the SCC Module 3 (Second SCCs).
U.S. Transfer Impact Assessment. Section 14 of the First SCC requires Company A and Company Z-1 to document a transfer impact assessment of the laws of the United States to determine whether either party has reason to believe that U.S. laws and practices prevent Company Z-1 from fulfilling its obligations under the SCCs.
Other Transfer Impact Assessments. Section 14 of the Second SCCs require Companies Z-1, Z-2, and Z-3 to create a transfer impact assessment of the laws in which Companies Z-2 and Z-3 operate. It is unclear whether Company A must participate in this process.
Law enforcement request policy. Section 15 of the SCCs require the data importers (Companies Z-1, Z-2, and Z-3) to take specific steps in the event that they receive a request from a public authority for access to personal data.

Option 2

Visual

Summary

1st, 2nd, and 3rd Transfer: SCC Module 2. The parties could enter into a single SCC Module 2 designed for transfers from a controller to a non-EEA processor, which would list Company Z-1, Company Z-2, and Company Z-3 each as separate data importers (First SCC).
Transfer Impact Assessments. Section 14 of the First SCC would require Company A to document a transfer impact assessment with each of the data importers (Company Z-1, Z-2, and Z-3) with regard to their respective countries to determine whether Company A, or whether each of the respective importers, has a reason to believe that the laws of their respective jurisdictions would prevent them from fulfilling their obligations under the First SCC.
Law enforcement request policy. Section 15 of the First SCC requires the data importers (Companies Z-1, Z-2, and Z-3) to take specific steps in the event that they receive a request from a public authority for access to personal data.