Transfers from EEA Controller to non-EEA Processor: Controller A (EEA) → Processor Z (non-EEA) → Processor X (Non-EEA) → Controller A (EEA)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.
- 1st Transfer: SCC Module 2. Initial cross-border transfer from EEA to Country Q utilizes the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).
- 2nd Transfer: SCC Module 3. Pursuant to Section 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). Transfers to another company “in the same [non-EEA] country” should utilize a safeguard mechanism such as the SCCs. Note that the parties could alternatively decide to enter into a single SCC between Company A, Company Z, and Company X that integrated a Module 2 SCC (as to Company A and Company Z) and a Module 2 SCC (as to Company A and X).
- 3rd Transfer. The GDPR does not require a company that transmits data to the EEA to utilize a safeguard mechanism. Note, however, that it is possible that some non-EEA countries impose their own restrictions on cross border data transfers.
- Transfer Impact Assessments. Section 14 of the SCCs require all parties (Company A, Company Z, and Company X) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q prevent Company Z and/or Company X from fulfilling their obligations under the SCCs.
- Law enforcement request policy. Note that Section 15 of the SCCs require the data importers (Company Z and Company X) to take specific steps in the event that they receive a request from a public authority for access to personal data.
 See New SCC Module 1 at 8.7. The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . . after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.
©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 59