Controller A (EEA) → Processor Z (EEA) → Employee of Processor Z (Non-EEA) (on business trip)
Thursday, November 3, 2022
Business Trip Personal Data Transfer under Standard Contractual Clauses
Print Mail Download i

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence in Country R, but does have an employee that is on a business trip in Country R and receives personal information while on that trip.

  • Transfer 1: SCC Module 2. The cross-border transfer of personal data from the EEA to Country Q should utilize the SCC Module 2 designed for transfers from a controller to a non-EEA processor.

  • Transfer 2: No Mechanism Needed. The EDPB has suggested that when a company transmits personal data to an employee that is located outside of the EEA the transmission does not constitute a “transfer” of personal information for purposes of Chapter V of the GDPR because the data has not been sent to a separate controller or processor.[1] The EDPB provided, as an example, the use-case whereby an employee travels for work to India where he or she remotely accesses personal data from the EEA. While the example provided by the EDPB involved a European company sending data to an employee outside of the EEA, the rationale utilized by the EDPB presumably applies where a company located in Country Q sends data to an employee located in Country R.

  • Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A and Company Z) to document whether either party has reason to believe that the laws and practices of Country Q prevent Company Z from fulfilling its obligations under the SCCs. Clause 14 might also be interpreted as requiring that the companies consider any additional countries to which data might be transferred (e.g., Country R).

  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company Z) to take specific steps in the event they receive a request from a public authority for access to personal data. As a result, Company Z might consider creating a written law enforcement request policy.

FOOTNOTES

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 14, 15.

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

California Proposes Revisions to Autorenewal Law
by: Timothy A. Butler , Matthew M. White
USCIS Increases Automatic Extension of Certain Employment Authorization Documents to 540 Days
by: Faraz Qaisrani
China to Relax Foreign Ownership Restrictions in Telecom Sector
by: George Qi , Yuqing (Philip) Ruan
Treasury Department Announces Proposed Regulatory Updates to CFIUS Enforcement Mechanisms and Civil Penalties
by: Kara M. Bombach , Cyril T. Brennan
Failure to Produce Privilege Log
by: Kathryn C. Cole
Court Considers Recusal Standards in CFPB 5th Circuit Suit Over Credit Card Late Fees
by: Tonya M. Esposito , Shirin Afsous
GTDRIVES: Dynamic Dialogues | Maternal Health Disparities [Podcast]
by: Akiesha Gilcrist Sainvil
Tax Court Rejects Constitutional Challenges to International Information Return Penalties
by: Barbara T. Kaplan , Scott E. Fink
Supreme Court Finds FAA ‘Transportation Worker’ Exemption Does Not Require Employment in Transportation Industry
by: Nicholas D. SanFilippo , Shirin Afsous
USCIS Announces Information on EB-5 Regional Center Audits
by: Miriam C. Thompson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins