Data Transfers from European Companies to Their Non-European Affiliates
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Controller A-1 (EEA) → Controller A-2 (Non-EEA)
Description and Implications
Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership or control, but are separate legal entities. Company A-1 in the EEA transfers personal data to Company A-2 in Country Q.
Transfer 1: SCC Module 1. A cross-border transfer from Company A-1 in the EEA to Company A-2 in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.
Subsequent Onward Transfers from Company A-2. Note that if Company A-2 makes any additional onward transfers, the appropriate module of the SCCs would need to be used.
Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A-1 and Company A-2) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company A-2) from fulfilling its obligations under the SCCs.
Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company A-2) to take specific steps in the event that it receives a request from a public authority for access to personal data.