EU Model Contractual Clause Cross-Border Data Transfers

The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.

Data subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)

Visual	Description and implications
Background. Company A instructs Company Z-2 (EEA) to collect the personal data of data subjects on its behalf. Company Z-2 uses its subsidiary in country Q as a sub-processor to collect the personal data. In this scenario, the data subject physically transfers personal information to the sub-processor who is not located in the EEA, but this sub-processor is acting on instructions from the processor, and ultimately the controller, who located in the EEA. There are three strategies for structuring the transfer.
Option 1
	Transfer 1: No mechanism needed. The EDPS has taken the position that a data subject “cannot be considered a controller or processor”,[i] and, therefore, restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[ii] Accordingly, it could be argued that no mechanism is necessary to transfer the personal data of the data subject to the Z-1 company. Transfer 2: no mechanism needed. The GDPR does not oblige a company that transmits data from an unsuitable country to the EEA to use a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
Option 2
	Transfer 1: Possible use of the SCC 3 module. The EDPS has taken the position that a data subject “cannot be considered a controller or processor”,[iii] and, therefore, restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[iv] Accordingly, it could be argued that no mechanism is necessary to transfer the personal data of the data subject to the Z-1 company. At the same time, since company Z-1 ultimately works on behalf of and under the direction of company Z-2, an argument could be made that the data subject does not make the decision to transfer data outside the EEA – this decision was made by Company Z-2 (acting on the instructions of Company A). Based on this reasoning, company Z-2 could consider entering into a module 3 type contractual clause in which it considers that it is constructively exporting personal data from the EEA to its sub-processor in country Q. . Transfer 2: no mechanism. The GDPR does not oblige a company that transmits data from an unsuitable country to the EEA to use a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.
Variant 3
	Transfer 1: Possible use of the SCC 2 module. The EDPS has taken the position that a data subject “cannot be considered a controller or processor”,[v] and, therefore, restrictions on cross-border data transfers that apply to controllers and processors do not apply to data subjects.[vi] Accordingly, it could be argued that no mechanism is necessary to transfer the personal data of the data subject to the Z-1 company. At the same time, since company Z-1 ultimately works on behalf and under the direction of company A, it could be argued that the data subject does not make the decision to transfer personal data outside of the EEA – this decision was made by company A. Based on this justification, company A could consider entering into a model contractual clause module 2 in which it considers that it is constructively exporting personal data from the ‘EEA to its subcontractor in country Q. Transfer 2: no mechanism. The GDPR does not oblige a company that transmits data from an unsuitable country to the EEA to use a safeguard mechanism. Unless Country Q independently requires a cross-border transfer mechanism, no cross-border transfer mechanism will be needed.

FOOTNOTES

[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).

[iii] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[iv] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).

[v] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.

[vi] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).