Transfers from a US Controller to EEA processors (Renvois) Controller (US)→Processor (EEA) (on deck) (Basic Renvoi)

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Visual

Description and Implications

Cross border transfers in the United States don’t need a SCC. Company A is not required under U.S. law or the GDPR to put in place safeguards when it transmits (exports) data to the EEA. SCC Module 4. Article 46 of the GDPR requires that a processor that transfers data outside of the EEA to a non-adequate country must utilize a safeguard. The EDPB has confirmed that this requirement applies when an EEA processor (Company Z) sends data to a controller (Company A).[1] Transfer Impact Assessments. Section 14 of SCC Module 4 does not typically require Company Z or Company A to conduct a transfer impact assessment (TIA) of U.S. law. Note, however, that a TIA would be required if Company Z combined the personal data it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append). Law enforcement request policy. Section 15 of SCC Module 4 does not typically require that Company A take specific steps in the event that it receives a request from a public authority for access to personal data. Note, however, that a law enforcement policy might be warranted if Company Z combined the personal data that it received from Company Y, with its own personal data (e.g., did a data enhancement or a data append).

[1] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at para. 13.