Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Other Transfers from EEA Controller - Controller A (EEA)→Employee of Controller A (non-EEA)
  • Background. Company A is a European legal entity that does not have a legal presence in Country Q.  Company A has an employee that works from Country Q (e.g., a remote worker or a travelling employee).
  • Transfer 1: No mechanism needed for transfer from Company A to its employee outside of the EEA. The EDPB has suggested that when a company transmits personal data to an employee located outside of the EEA, the transmission does not constitute a “transfer” of personal information for purposes of Chapter V of the GDPR because the data has not been sent to a separate controller or processor.1 While the EDPB provided, as an example, the use-case where an employee travels for work to India where he remotely accesses personal data from the EEA, the EDPB’s rationale may apply equally to other remote-work situations such as an employee that resides in a non-EEA country, or a remote employee that downloads personal data (as opposed to remotely accesses such data).
  • Transfer Impact Assessments. The EDPB has suggested that a controller (Company A) is “accountable for [its] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”2  As a result, Company A might consider conducting a TIA to analyze various risks that may result from the transmission of data to an employee in Country Q.  While conducting a TIA might be beneficial, it is important to note that unlike transfers that utilize the SCCs, a TIA is not contractually required.
  • Law enforcement request policy.  The EDPB has suggested that a controller (Company A) is “accountable for [its] processing activities” which include assessing risks “to conduct or proceed with a specific processing operation in a third country although there is no ‘transfer’ situation.”3  As a result, Company A might consider creating a law enforcement request policy to mitigate risks surrounding law enforcement requests received from Country Q.

1 EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 14, 15.

2 EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.

3 EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 17.