The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Law enforcement request policy. If no SCCs are signed, neither Company A nor Company B would be directly subject to Section 15 of the SCCs that require specific steps in the event that a company receives a request from a public authority for access to personal data. Nonetheless, the EDPB has suggested that controllers (Company A and Company B) are “accountable for [their] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”[3] As a result, Company B might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests from the United States. |
[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 15 and 16.
[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.
[3] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.