On Jan. 27, 2022, Brazil’s Data Protection Agency (ANPD) adopted Resolution ANPD No. 2 (the “Resolution”), limiting Brazil’s Data Protection Law (LGPD) obligations on small entities.

Processing Agents

Similar to the European GDPR, the LGPD categorizes businesses subject to the law as either “controllers” or “processors.” However, the LGPD also groups these two categories together

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A-1 (EEA) → Controller A-2 (Non-EEA)

Visual Description and Implications
  • Background. Company A-1 and Company A-2 are corporate affiliates that are under common ownership

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Controller A (EEA)  → Controller B (EEA) → Controller C (Non-EEA)

Visual Description and Implications
  • Background. Company A in the EEA transfers personal data to

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Data Subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)

Visual Description and Implications
Background. Company A retains Company Z-2

Controller A (Non-EEA) → Processor Z (Non-EEA) → Sub-processor Y (EEA) → Controller A (Non-EEA) (same country)

Visual Description and Implications
  • Transfer 1: No mechanism needed.  Company A is not required under the GDPR to put safeguards in place to transfer information to a processor that is also located in Country Q.
  • Transfer 2: No

Modern state privacy laws mandate that agreements with service providers or processors contain specific contractual provisions to govern the parties’ relationship. Which provisions should be included in a vendor agreement, however, differ by state statute. In addition, some state privacy laws impose statutory obligations upon vendors that do not necessarily need to be memorialized in

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Processor (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (non-EEA)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a US Controller to EEA processors (Renvois) Controller (US)  Processor (US)  Sub-processor (EEA)  Controller (US)
  • Cross border transfers in the United States don’t need an SCC. Company A is not required under U.S. law or the GDPR