After an extended sunset period, time to replace the “old” SCCs runs out on Dec. 27, 2022. After that date, the old SCCs will no longer legalize data transfers to countries outside the European Economic Area (EEA). To avoid compliance risks associated with illegal transfers of personal data, any old SCCs should be updated to
Transfer Impact Assessment
Controller A (EEA) → Processor Z (EEA) → Employee of Processor Z (Non-EEA) (on business trip)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
- Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence
Controller A (EEA) → Processor Z (Non-EEA) → Employee of Processor Z (Non-EEA) (on vacation)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
- Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence
Controller A (EEA) → Processor Z (Non-EEA) → Employee of Processor Z (Non-EEA) (remote worker) (different country)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
- Background. Company A is an EEA controller that utilizes Company Z, a processor based in Country Q. Company Z does not have a legal presence
Controller A (EEA) → Processor Z (EEA) → Controller B (Non-EEA)
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Visual | Description and Implications |
|
…
Data transfers from a European controller to a second European controller to a non-European controller
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Controller A (EEA) → Controller B (EEA) → Controller C (Non-EEA)
Visual | Description and Implications |
|
…
Data transfers from a controller in the EEA, to another controller in the EEA, to a processor outside of the EEA
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Controller A (EEA) → Controller B (EEA) → Processor Z (Non-EEA)
Visual | Description and Implications |
|
…
Data Transfers from Data Subjects in the EEA to non-EEA Processors of EEA Controllers
Controller A (Non-EEA) → Processor Z (Non-EEA) → Sub-processor Y (EEA) → Controller A (Non-EEA) (same country)
Visual | Description and Implications |
|
…
Does the Attorney-Client Privilege Protect TIAs Created Pursuant to the SCCs from Disclosure?
It depends on the purpose for which a transfer impact assessment (TIA) is created. It is unlikely that the attorney-client privilege would apply to a TIA that is created, and used, to satisfy the requirements of the Standard Contractual Clauses (SCCs).
The attorney-client privilege in the United States refers to a judicially recognized ability for…
What exactly is a “Transfer Impact Assessment” (TIA), and where the heck did it come from?
The term “Transfer Impact Assessment” or “TIA” is relatively new to the world of data privacy. Indeed, according to one widely used legal database the term was not referenced within any academic journals or secondary sources until 2021.[1] The term has come to refer to a written analysis, conducted by a controller or a…