• Background. Company B-1 and Company B-2 are corporate affiliates who are under common ownership or control but are separate legal entities. Company B-2 is the processor of Company B-1. While data is being directly sent from Company A in Europe to Company B-2, Company B-2 is not acting as the processor of Company A;

  • Background. Company B-1 and Company B-2 are corporate affiliates who are under common ownership or control but are separate legal entities. While data is being directly sent from Controller A in Europe to Controller B-2 in the United States, Controller A has contracted only with Controller B-1 in Europe. Solid line indicates the data

Visual Implications
  • 1st SCC Module 1. Initial cross-border transfer from Company A to Company B utilizes the SCC Module 1 designed for transfers from a controller to a non-EEA Controller.
  • 2nd SCC Module 2. Pursuant to Section 8.7 of the 1st SCC, all subsequent onward transfers to non-adequate jurisdictions must also utilize the

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”)

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”)

Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity within a country recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”) that imposes many of the

No.

The GDPR requires that when a “controller or processor … transfer[s] … data to a third country” that is not considered to have data protection laws analogous to those within the European Union, it utilizes an adequacy measures.[1] In situations where an individual within the European Union is initiating the transfer to a

Some privacy statutes explicitly reference “sensitive” or “special” categories of personal information. While such terms, when used, often include similar data types that are generally considered as raising greater privacy risks to data subjects if disclosed, the exact categories that fall under those rubrics differ between and among statutes. Furthermore, other privacy statutes do not

Deidentified information is defined within the CCPA to refer to information that “cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer” provided that a business that uses deidentified information takes four operational and organizational steps to ensure that such information is not