The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Data Subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)
Visual | Description and Implications |
Background. Company A retains Company Z-2 (EEA) to collect personal data from data subjects on its behalf. Company Z-2 utilizes its affiliate in Country Q as a sub-processor to collect the personal data. In this scenario the data subject is physically transferring personal information to the sub-processor that is not in the EEA, but that sub-processor is acting at the instruction of the processor, and ultimately the controller, that is in the EEA. There are three strategies for how the transfer could be structured. | |
Option 1 | |
|
|
Option 2 | |
|
|
Option 3 | |
|
[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).
[iii] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[iv] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).
[v] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[vi] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity. GDPR, Art. 2(2)(c).