Photo of Carsten A. Kociok

Carsten A. Kociok

Carsten Kociok focuses his practice on the technology industry. He has broad experience in the areas of Internet, information technology, electronic and mobile payments and new media, as well as regulatory and data protection law issues.

Carsten advises national and international companies from the Internet, payments and technology industries on the commercial and regulatory side of their business, in particular in the areas of e-commerce and e-business, electronic and mobile payments, service distribution, franchising, outsourcing and technology transactions. This includes all aspects of e-money and payments law, financial services law, data protection and data security regulations, money laundering obligations as well as marketing, unfair competition, consumer protection and general contract law.

Prior to joining the firm, Carsten worked at Olswang for eight years and in the Capital Transaction Practice Group of an international law firm in New York.

All contracts that used the traditional Standard Contractual Clauses must be updated and repapered by 27 December 2022. To help companies comply with the deadline, Greenberg Traurig’s Data Privacy & Cybersecurity Group has compiled a 90-page guide explaining how to apply the new Standard Contractual Clauses in over 40 different transfer scenarios – ranging from

After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA). To avoid compliance risks associated with illegal transfers of personal data, any old SCCs should be updated to

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Processor (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (non-EEA)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject - Data Subject→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor.”1 As a result, the

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Other Transfers from EEA Controller - Controller A (EEA)→Employee of Controller A (non-EEA)
  • Background. Company A is a European legal entity that does not have a legal presence in Country Q.  Company A has

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a US Controller to EEA processors (Renvois) - Controller (US)→Processor (EEA) (on deck) (Basic Renvoi)
  • Cross border transfers in the United States don’t need a SCC. Company A is not required under U.S. law or the GDPR

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a US Controller to EEA processors (Renvois) Controller (US)→ Processor (Non-EEA)→Sub-processor (EEA)→Controller (US)
  • Cross border transfers from the United States don’t need a SCC. Company A is not required under U.S. law or the GDPR