The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
- Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence in Country R,but does have an employee that is on a personal vacation in Country R and receives personal information while on vacation.
- Transfer 1: SCC Module 2. The cross-border transfer of personal data from the EEA to Country Q should utilize the SCC Module 2 designed for transfers from a controller to a non-EEA processor.
- Transfer 2: No Mechanism Needed. The EDPB has suggested that when a company transmits personal data to an employee that is located outside of the EEA the transmission does not constitute a “transfer” of personal information for purposes of Chapter V of the GDPR because the data has not been sent to a separate controller or processor. While the EDPB provided, as an example, the use-case whereby an employee travels for work to India where he or she remotely accesses personal data from the EEA, this rationale presumably also applies to other remote-work situations such as where an employee goes on a personal vacation in a non-EEA country, or where the remote employee downloads personal data (as opposed to remotely accessing such data). Although the example provided by the EDPB also involved a European company sending data to an employee outside of the EEA, the rationale utilized by the EDPB presumably applies where a company located in Country Q sends data to an employee located in Country R.
- Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A and Company Z) to document whether either party has reason to believe that the laws and practices of Country Q prevent Company Z from fulfilling its obligations under the SCCs. Clause 14 might also be interpreted as requiring that the companies consider any additional countries to which data might be transferred (e.g., Country R).
- Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company Z) to take specific steps in the event they receive a request from a public authority for access to personal data. As a result, Company Z might consider creating a written law enforcement request policy.
 EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 14, 15.