SCC in the EU: Other Transfers from EEA Controller Controller A

David A. Zetoony

Email

303.685.7425

Bio and Articles

Carsten Kociok

Email

490-30700-171119

Bio and Articles

Andrea Maciejewski

Email

+1 303.572.6500

Bio and Articles

Other Transfers from EEA Controller Controller A (EEA)→Employee of Controller A (non-EEA)

by: David A. Zetoony, Carsten Kociok, Andrea Maciejewski of Greenberg Traurig, LLP - Data Privacy Dish

Wednesday, March 16, 2022

Print Mail Download

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual

Other Transfers from EEA Controller - Controller A (EEA)→Employee of Controller A (non-EEA)

Description and Implications

Background. Company A is a European legal entity that does not have a legal presence in Country Q. Company A has an employee that works from Country Q (e.g., a remote worker or a travelling employee).
Transfer 1: No mechanism needed for transfer from Company A to its employee outside of the EEA. The EDPB has suggested that when a company transmits personal data to an employee located outside of the EEA, the transmission does not constitute a “transfer” of personal information for purposes of Chapter V of the GDPR because the data has not been sent to a separate controller or processor.¹ While the EDPB provided, as an example, the use-case where an employee travels for work to India where he remotely accesses personal data from the EEA, the EDPB’s rationale may apply equally to other remote-work situations such as an employee that resides in a non-EEA country, or a remote employee that downloads personal data (as opposed to remotely accesses such data).
Transfer Impact Assessments. The EDPB has suggested that a controller (Company A) is “accountable for [its] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”² As a result, Company A might consider conducting a TIA to analyze various risks that may result from the transmission of data to an employee in Country Q. While conducting a TIA might be beneficial, it is important to note that unlike transfers that utilize the SCCs, a TIA is not contractually required.
Law enforcement request policy. The EDPB has suggested that a controller (Company A) is “accountable for [its] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”³ As a result, Company A might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests received from Country Q.

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 14, 15.

[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

[3] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.