The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a US Controller to EEA processors (Renvois) Controller (US)  Processor (US)  Sub-processor (EEA)  Controller (US)
  • Cross border transfers in the United States don’t need an SCC. Company A is not required under U.S. law or the GDPR

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June of 2021.

Visual

Implications

  • Initial cross-border transfer from the EEA to the US utilizes the SCC Module 1 designed for transfers from a controller to another non-EEA

Visual Implications
  • 1st SCC Module 1. Initial cross-border transfer from Company A to Company B utilizes the SCC Module 1 designed for transfers from a controller to a non-EEA Controller.
  • 2nd SCC Module 2. Pursuant to Section 8.7 of the 1st SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the

Visual Implications
  • 1st SCC Module 1. Initial cross-border transfer from Company A to Company B utilizes the SCC Module 1 designed for transfers from a controller to a non-EEA Controller (1st SCC).
  • 2nd SCC Module 2. Pursuant to Section 8.7 of the 1st SCC, all subsequent onward transfers to non-adequate jurisdictions must also

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”)

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”)

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”)

So much has been said about the new Cross-Border standard contractual clauses (SCC), which the EU Commission finally adopted on 4 June 2021 (see GT blog post from 9 June 2021), that it almost went unnoticed that the Commission published two different kinds of SCC that day. The other set of SCC (the DPA-SCC)

The ISO 29100 privacy framework sets forth the following eleven core principles:

  1. Consent and choice
  2. Purpose legitimacy and specification
  3. Collection limitation
  4. Data minimization
  5. Use, retention and disclosure limitation
  6. Accuracy and quality
  7. Openness, transparency, and notice
  8. Individual participation and access
  9. Accountability
  10. Information security
  11. Privacy compliance

The ISO 27701 privacy framework is not explicitly organized using the

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller