Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
  • Background. Company A transmits personal data to its processor Company Z, and then instructs its processor to onward transfer the personal data to Company B – a separate controller.
  • Transfer 1: Art. 28 DPA. As personal data has not left the EEA, an adequacy measure is not required. The parties should enter into an agreement that complies with Article 28 of the GDPR as Company Z is acting as a processor to Company A.
  • Transfer 2: No mechanism available. Although the SCC Module 4 is designed for transfers from processors to controllers, it cannot be used in this situation as Clause 8.1(a) of that SCC states that the data exporter (Company Z) must be acting on the instructions of the data importer (Company B). In this scenario, the data exporter is acting on the instructions of Company A (which is not the data importer). As a result, Company Z could not utilize the SCC Module 4.
  • Transfer 3: SCC Module 1. Although the data is being triangulated through Company Z, the only available contractual mechanism is for Company A to enter into a SCC Module 1 with Company B.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires Company A and Company B to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company B) from fulfilling its obligations under the SCCs.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company B) to take specific steps in the event that it receives a request from a public authority for access to personal data.

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

Photo of Andrea C. Maciejewski Andrea C. Maciejewski

Andrea C. Maciejewski designs and implements privacy and security programs for clients of all sizes – from Fortune 500s to start ups – and in all sectors, including digital entertainment, marketing, online education, retail, and consumer goods. Andrea helps companies navigate the intricacies

Andrea C. Maciejewski designs and implements privacy and security programs for clients of all sizes – from Fortune 500s to start ups – and in all sectors, including digital entertainment, marketing, online education, retail, and consumer goods. Andrea helps companies navigate the intricacies of multi-jurisdictional compliance programs as well as compliance with sector-specific data privacy and security laws. Andrea offers clients practical legal counsel, striving to understand the underlying business model and provide strategies that manage costs and risks, while attempting to maintain the businesses operations.

Her practice includes international data privacy laws and regulations, including the General Data Protection Regulation (“GDPR”) and China’s Personal Information Protection Law (“PIPL”), as well as U.S. federal and state data privacy laws, such as the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act (“FERPA”), and the California Consumer Privacy Act (“CCPA”). Some of the specialized documents Andrea drafts include data processing addendums, intracompany agreements, cross-border transfer mechanisms, privacy policies, privacy impact assessments, and data inventories. She has experience in U.S. and multi-national record retention practices, and frequently counsels on updating those practices for compliance with new privacy laws.

Additionally, Andrea provides expert counsel on data concerns unique to video games, eSports, and mobile gaming.