Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA) → Controller B (EEA) → Processor Z (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to Company B in the EEA. Company B then transfers the personal data to its processor, Company Z, in Country Q.
  • Transfer 1. No mechanism needed. The GDPR does not require a safeguard mechanism for data that is transferred from a company in the EEA to another company in the EEA.
  • Transfer 2. SCC Module 2. The transfer from Company B to Company Z should utilize the SCC Module 2 designed for transfers from controllers in the EEA to processors that are located outside of the EEA.
  • Transfer Impact Assessments. Clause 14 of the SCCs would require that Company B and Company Z document a transfer impact assessment of the laws of Country Q to determine if they prevent Company Z from fulfilling its obligations under the SCCs.
  • Law enforcement request policy. Clause 15 of the SCCs requires Company Z to take specific steps in the event that it receives a request from a public authority for access to personal data. As a result, Company Z might consider creating a law enforcement request policy for handling requests from public authorities.