Transfers from EEA Controller to non-EEA Processor: Controller A (EEA)→ Processor Z (non-EEA) → Controller A (EEA)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses, approved by the European Commission in June 2021.
- 1st Transfer: SCC Module 2. Initial cross-border transfer from EEA to a non-EEA country utilizes the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).
- 2nd Transfer. The GDPR does not require a company that transmits data to the EEA to utilize a safeguard mechanism. Note, however, that it is possible that some non-EEA countries impose their own restrictions on cross border data transfers.
- Transfer Impact Assessments. Section 14 of the SCCs require all parties (Company A and Company Z) to document a transfer impact assessment of the laws of Country X to determine whether any party has reason to believe that the laws and practices of that country prevent Company Z from fulfilling its obligations under the SCCs.
- Law enforcement request policy. Section 15 of the SCCs require the data importer (Company Z) to take specific steps in the event that it receives a request from a public authority for access to personal data. As a result, Company Z might consider creating a written law enforcement request policy.
©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 54