Skip to content

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence in Country R, but does have an employee that works remotely from Country R (e.g., a remote worker). 
  • Transfer 1: SCC Module 2. The cross-border transfer of personal data from the EEA to Country Q should utilize the SCC Module 2 designed for transfers from a controller to a non-EEA processor.
  • Transfer 2: No Mechanism Needed. The EDPB has suggested that when a company transmits personal data to an employee that is located outside of the EEA the transmission does not constitute a “transfer” of personal information for purposes of Chapter V of the GDPR because the data has not been sent to a separate controller or processor.[1] While the EDPB provided, as an example, the use-case whereby an employee travels for work to India where they remotely accesses personal data from the EEA, this rationale presumably also applies to other remote-work situations such as where an employee resides in a non-EEA country, or where the remote employee downloads personal data (as opposed to remotely accessing such data). While the example provided by the EDPB involved a European company sending data to an employee outside of the EEA, the rationale utilized by the EDPB presumably applies where a company located in Country Q sends data to an employee located in Country R.
  • Transfer Impact Assessments. Clause 14 of the SCCs requires both parties (Company A and Company Z) to document whether either party has reason to believe that the laws and practices of Country Q prevent Company Z from fulfilling its obligations under the SCCs. Clause 14 might also be interpreted as requiring that companies consider any additional countries to which data might be transferred (e.g., Country R).
  • Law Enforcement Request Policy. Clause 15 of the SCCs requires the data importer (Company Z) to take specific steps in the event they receive a request from a public authority for access to personal data. As a result, Company Z might consider creating a written law enforcement request policy.

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at paras. 14, 15.