September 26, 2022

Volume XII, Number 269

Advertisement

September 26, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

Data Transfers from European Companies to Their Non-European Affiliates

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A-1 (EEA) → Controller A-2 (Non-EEA)

Visual

Description and Implications

  • Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership or control, but are separate legal entities. Company A-1 in the EEA transfers personal data to Company A-2 in Country Q.

  • Transfer 1: SCC Module 1. A cross-border transfer from Company A-1 in the EEA to Company A-2 in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.

  • Subsequent Onward Transfers from Company A-2. Note that if Company A-2 makes any additional onward transfers, the appropriate module of the SCCs would need to be used.

  • Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A-1 and Company A-2) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company A-2) from fulfilling its obligations under the SCCs.

  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company A-2) to take specific steps in the event that it receives a request from a public authority for access to personal data.

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 220
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement