The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

  • Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (non-EEA)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”1 and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject: Data Subject→Controller (US)→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor,”[1] and, as a result,

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual Description and Implications
Transfers from a European Data Subject - Data Subject→Controller (US)
  • The EDPB has taken the position that a data subject “cannot be considered a controller or processor.”1 As a result, the

On 04 June 2021, the EU Commission adopted two new sets of standard contractual clauses (SCC): one set for the transfer of personal data from the EU to third countries (Cross-Border SCC) and another set addressing certain clauses in controller-processor data processing agreements (DPA-SCC). The adoption was made some seven months after initial drafts

While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to the organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards – i.e., a company would ideally be certified in both data security and data privacy. As a result, it is organized based

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.1 That does not necessarily mean, however, that a controller

A controller refers to the entity that determines the “purpose and means” of how personal data will be processed. Determining the “purpose” of processing refers to deciding why information will be processed. Determining the “means” of processing refers to deciding how information will be processed.[1] That does not necessarily mean, however, that a controller