Data transfers from a European controller to a second European controller to a non-European controller
Wednesday, August 3, 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA)  → Controller B (EEA) → Controller C (Non-EEA)

Description and Implications

  • Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to Company C in Country Q.

  • Transfer 1: No Mechanism Needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.

  • Transfer 2: SCC Module 1. A cross-border transfer from Company B in the EEA to Company C in Country Q should utilize the SCC Module 1 which is designed for transfers from an EEA controller to a non-EEA controller.

  • Subsequent Onward Transfers from Company C. Note that if Company C makes any additional onward transfers, the appropriate module of the SCCs would need to be used.

  • Transfer Impact Assessments. Clause 14 of the SCC requires Company B and Company C to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company C) from fulfilling its obligations under the SCCs.

  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company C) to take specific steps in the event that it receives a request from a public authority for access to personal data.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins