Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Background. Company A retains Company Z in Country Q to process personal data (e.g., collect personal data from data subjects). Company A instructs Company Z to transmit the personal data to Company Y, which is a second processor in Country Q. There are two general strategies for how the transfer could be structured.

Option 1

  • Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject “cannot be considered a controller or processor”[i] and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[ii] As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z.  However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA – that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q.
  • Transfer 3: Possible use of SCC Module 3. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers “in the same [non-EEA] country” should also utilize a safeguard mechanism such as the SCCs.[iii] In this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The former structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company Z, is a sub-processor of Company Z, and/or takes instruction directly from Company Z.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.

Option 2

  • Transfer 1 and Transfer 2: Possible use of SCC Module 2. The EDPB has taken the position that a data subject “cannot be considered a controller or processor”[iv] and, therefore, the restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[v] As a result, an argument could be made that no mechanism is needed to transfer personal data from the data subject to Company Z. However, because Company Z is working on behalf, and at the direction of, Company A, an argument could be made that the data subject is not making the decision to directly transfer personal data outside of the EEA – that decision has been made by Company A. Based upon that rationale, Company A and Company Z might consider utilizing Module 2 (First SCC) wherein Company A would conceptualize itself as constructively exporting personal data from the EEA to its processor in Country Q.
  • Transfer 3 and Transfer 4: Possible use of SCC Module 2. Pursuant to Clause 8.7 of the First SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the SCCs (appropriate module). According to Clause 8.7, transfers “in the same [non-EEA] country” should also utilize a safeguard mechanism such as the SCCs.[vi] In this case, the transfer from Company Z to Company Y could be conceptualized either as a processor-to-processor transfer (where Company Y is acting at the direction of Company Z), or as a controller-to-processor transfer (where Company Y is acting at the direction of Company A). The latter structure (depicted to the left) might be most appropriate to the extent that Company Y has been selected by Company A, is a direct processor of Company A, and/or takes instruction directly from Company A.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires all parties (Company A, Company Z, and Company Y) to document a transfer impact assessment (TIA) of the laws of Country Q to determine whether any party has reason to believe that the laws and practices of Country Q that apply to the personal data transferred prevent the data importers (i.e., Company Z and Company Y) from fulfilling their obligations under the SCCs. The TIA could take the form of a single document reviewed and approved by all parties, or separate documents that reflect the specific factors applicable to Company Z and to Company Y.
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importers (Company Z and Company Y) to take specific steps in the event that they receive a request from a public authority for access to personal data.

[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.”  GDPR, Art. 2(2)(c).

[iii] See New SCC Module 1 at 8.7. The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . . after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.

[iv] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[v] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and, therefore, is not subject to the GDPR at all, as the regulations do not apply to processing done by a “natural person in the course of a purely personal or household activity.”  GDPR, Art. 2(2)(c).

[vi] See New SCC Module 1 at 8.7.  The position that a transfer between companies in the same non-EEA country requires a safeguard also accords with Article 44 of the GDPR which requires that “any transfer of personal data . . . after transfer to a third country” must take place pursuant to the restrictions in Chapter V of the GDPR.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David A. Zetoony David A. Zetoony

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he

David Zetoony, Co-Chair of the firm’s U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation.

Photo of Andrea C. Maciejewski Andrea C. Maciejewski

Andrea C. Maciejewski designs and implements privacy and security programs for clients of all sizes – from Fortune 500s to start ups – and in all sectors, including digital entertainment, marketing, online education, retail, and consumer goods. Andrea helps companies navigate the intricacies

Andrea C. Maciejewski designs and implements privacy and security programs for clients of all sizes – from Fortune 500s to start ups – and in all sectors, including digital entertainment, marketing, online education, retail, and consumer goods. Andrea helps companies navigate the intricacies of multi-jurisdictional compliance programs as well as compliance with sector-specific data privacy and security laws. Andrea offers clients practical legal counsel, striving to understand the underlying business model and provide strategies that manage costs and risks, while attempting to maintain the businesses operations.

Her practice includes international data privacy laws and regulations, including the General Data Protection Regulation (“GDPR”) and China’s Personal Information Protection Law (“PIPL”), as well as U.S. federal and state data privacy laws, such as the Children’s Online Privacy Protection Act (“COPPA”), the Family Educational Rights and Privacy Act (“FERPA”), and the California Consumer Privacy Act (“CCPA”). Some of the specialized documents Andrea drafts include data processing addendums, intracompany agreements, cross-border transfer mechanisms, privacy policies, privacy impact assessments, and data inventories. She has experience in U.S. and multi-national record retention practices, and frequently counsels on updating those practices for compliance with new privacy laws.

Additionally, Andrea provides expert counsel on data concerns unique to video games, eSports, and mobile gaming.