Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses, approved by the European Commission in June 2021.

Visual Summary
Transfers from EEA Controller to non-EEA Processor: Controller A (EEA)→ Processor Z (non-EEA) → Controller A (EEA)
  • 1st Transfer: SCC Module 2. Initial cross-border transfer from EEA to a non-EEA country utilizes the SCC Module 2 designed for transfers from a controller to a non-EEA processor (First SCC).
  • 2nd Transfer. The GDPR does not require a company that transmits data to the EEA to utilize a safeguard mechanism.  Note, however, that it is possible that some non-EEA countries impose their own restrictions on cross border data transfers.
  • Transfer Impact Assessments. Section 14 of the SCCs require all parties (Company A and Company Z) to document a transfer impact assessment of the laws of Country X to determine whether any party has reason to believe that the laws and practices of that country prevent Company Z from fulfilling its obligations under the SCCs.
  • Law enforcement request policy.  Section 15 of the SCCs require the data importer (Company Z) to take specific steps in the event that it receives a request from a public authority for access to personal data. As a result, Company Z might consider creating a written law enforcement request policy.