Transfers from a US Controller to EEA processors (Renvois) Controller (US) →Processor (Non-EEA)→Sub-processor (EEA)→Controller (US)
Wednesday, March 9, 2022

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual

Transfers from a US Controller to EEA processors (Renvois) Controller (US)→ Processor (Non-EEA)→Sub-processor (EEA)→Controller (US)

Description and Implications

  • Cross border transfers from the United States don’t need a SCC. Company A is not required under U.S. law or the GDPR to put in place safeguards when it transmits (exports) data to Company Y.  Company Y is not required under U.S. law or the GDPR to put in place a safeguard when it transmits (exports) personal data to Company Z. However, in some cases the laws of Country X might require a separate safeguard for such transmissions.

  • SCC Module 4. Article 46 of the GDPR requires that a processor that transfers data outside of the EEA to a non-adequate country must utilize a safeguard.  The EDPB has confirmed that this requirement applies when an EEA processor (Company Z) sends data to a controller (Company A).1

  • Subsequent Onward Transfers from Company A do not require safeguards. If Company A sends data it received from Company Z to subsequent controllers or processors, it is not required to utilize a safeguard.

  • Transfer Impact Assessments. Section 14 of SCC Module 4 does not typically require Company Z or Company A to conduct a transfer impact assessment (TIA) of U.S. law. However, that a TIA would be required if Company Z combined the personal data it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append).

  • Law enforcement request policy. Section 15 of SCC Module 4 does not typically require that Company A take specific steps in the event it receives a request from a public authority for access to personal data. However, a law enforcement policy might be warranted if Company Z combined the personal that it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append).

FOOTNOTES

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 13.

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins