HB Ad Slot
HB Mobile Ad Slot
Transfers from a US Controller to EEA processors (Renvois) Controller (US) →Processor (Non-EEA)→Sub-processor (EEA)→Controller (US)
Wednesday, March 9, 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual

Transfers from a US Controller to EEA processors (Renvois) Controller (US)→ Processor (Non-EEA)→Sub-processor (EEA)→Controller (US)

Description and Implications

  • Cross border transfers from the United States don’t need a SCC. Company A is not required under U.S. law or the GDPR to put in place safeguards when it transmits (exports) data to Company Y.  Company Y is not required under U.S. law or the GDPR to put in place a safeguard when it transmits (exports) personal data to Company Z. However, in some cases the laws of Country X might require a separate safeguard for such transmissions.

  • SCC Module 4. Article 46 of the GDPR requires that a processor that transfers data outside of the EEA to a non-adequate country must utilize a safeguard.  The EDPB has confirmed that this requirement applies when an EEA processor (Company Z) sends data to a controller (Company A).1

  • Subsequent Onward Transfers from Company A do not require safeguards. If Company A sends data it received from Company Z to subsequent controllers or processors, it is not required to utilize a safeguard.

  • Transfer Impact Assessments. Section 14 of SCC Module 4 does not typically require Company Z or Company A to conduct a transfer impact assessment (TIA) of U.S. law. However, that a TIA would be required if Company Z combined the personal data it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append).

  • Law enforcement request policy. Section 15 of SCC Module 4 does not typically require that Company A take specific steps in the event it receives a request from a public authority for access to personal data. However, a law enforcement policy might be warranted if Company Z combined the personal that it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append).

FOOTNOTES

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 13.

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 
NLR Logo
We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins