October 2, 2022

Volume XII, Number 275

Advertisement

September 30, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Data Transfers from Data Subjects in the EEA to Non-EEA Processors of EEA Controllers

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Data Subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)

 

Visual Description and Implications
Background. Company A retains Company Z-2 (EEA) to collect personal data from data subjects on its behalf. Company Z-2 utilizes its affiliate in Country Q as a sub-processor to collect the personal data. In this scenario the data subject is physically transferring personal information to the sub-processor that is not in the EEA, but that sub-processor is acting at the instruction of the processor, and ultimately the controller, that is in the EEA. There are three strategies for how the transfer could be structured.
Option 1
  • Transfer 1: No Mechanism Needed.  The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[i] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[ii] As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1.
  • Transfer 2: No Mechanism Needed.  The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism.  Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
Option 2
  • Transfer 1: Possible use of SCC Module 3.  The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[iii] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[iv] As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1. At the same time, because Company Z-1 is ultimately working on behalf, and at the direction of, Company Z-2, an argument could be made that the data subject is not making the decision to transfer personal data outside of the EEA – that decision has been made by Company Z-2 (acting at the instruction of Company A). Based upon that rationale, Company Z-2 might consider entering into a Standard Contractual Clause Module 3 wherein it considers itself constructively exporting personal data from the EEA to its sub-processor in Country Q.
  • Transfer 2: No Mechanism.  The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism.  Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
Option 3
  • Transfer 1: Possible use of SCC Module 2.  The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[v] and, as a result, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[vi]  As a result an argument might be made that no mechanism is needed to transfer personal data from the data subject to Company Z-1.  At the same time, because Company Z-1 is ultimately working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to transfer personal data outside of the EEA – that decision has been made by Company A.  Based upon that rationale, Company A might consider entering into a Standard Contractual Clause Module 2 wherein it considers itself constructively exporting personal data from the EEA to its processor in Country Q.
  • Transfer 2: No Mechanism.  The GDPR does not require a company that transmits data from a non-adequate country to the EEA to utilize a safeguard mechanism.  Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.

FOOTNOTES

[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.  GDPR, Art. 2(2)(c).

[iii] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[iv] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.  GDPR, Art. 2(2)(c).

[v] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[vi] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.  GDPR, Art. 2(2)(c).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 202
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement