Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.

Visual Summary
  • 1st Transfer: SCC Module 2. Initial cross-border transfer from EEA to Country Q utilizes the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).
  • 2nd Transfer: SCC Module 3. Pursuant to Section 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). Transfers to another company “in the same [non-EEA] country” should utilize a safeguard mechanism such as the SCCs.[1] Note that the parties could alternatively decide to enter into a single SCC between Company A, Company Z, and Company X that integrated a Module 2 SCC (as to Company A and Company Z) and a Module 2 SCC (as to Company A and X).
  • 3rd Transfer. The GDPR does not require a company that transmits data to the EEA to utilize a safeguard mechanism. Note, however, that it is possible that some non-EEA countries impose their own restrictions on cross border data transfers.
  • Transfer Impact Assessments. Section 14 of the SCCs require all parties (Company A, Company Z, and Company X) to document a transfer impact assessment of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q prevent Company Z and/or Company X from fulfilling their obligations under the SCCs.
  • Law enforcement request policy. Note that Section 15 of the SCCs require the data importers (Company Z and Company X) to take specific steps in the event that they receive a request from a public authority for access to personal data.

[1]  See New SCC Module 1 at 8.7.  The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . .  after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.