The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual

Description and Implications

Background. Company A transmits personal data to its processor Company Z, and then instructs its processor to onward transfer the personal data to Company B – a separate controller. Transfer 1: Art. 28 DPA. As personal data has not left the EEA, an adequacy measure is not required. The parties should enter into an agreement that complies with Article 28 of the GDPR as Company Z is acting as a processor to Company A. Transfer 2: No mechanism available. Although the SCC Module 4 is designed for transfers from processors to controllers, it cannot be used in this situation as Clause 8.1(a) of that SCC states that the data exporter (Company Z) must be acting on the instructions of the data importer (Company B). In this scenario, the data exporter is acting on the instructions of Company A (which is not the data importer). As a result, Company Z could not utilize the SCC Module 4. Transfer 3: SCC Module 1. Although the data is being triangulated through Company Z, the only available contractual mechanism is for Company A to enter into a SCC Module 1 with Company B. Transfer Impact Assessments. Clause 14 of the SCCs requires Company A and Company B to document a transfer impact assessment of the laws of Country Q to determine whether either party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importer (i.e., Company B) from fulfilling its obligations under the SCCs. Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company B) to take specific steps in the event that it receives a request from a public authority for access to personal data.