EU Model Contractual Clause Cross-Border Data Transfers
The following is part of Greenberg Traurig’s ongoing series analyzing cross-border data transfers in light of the new Standard Contractual Clauses approved by the European Commission in June 2021.
Data subject (EEA) → Processor Z-1 (non-EEA) → Processor Z-2 (EEA) → Controller A (EEA)
Visual | Description and implications |
Background. Company A instructs Company Z-2 (EEA) to collect the personal data of data subjects on its behalf. Company Z-2 uses its subsidiary in country Q as a sub-processor to collect the personal data. In this scenario, the data subject physically transfers personal information to the sub-processor who is not located in the EEA, but this sub-processor is acting on instructions from the processor, and ultimately the controller, who located in the EEA. There are three strategies for structuring the transfer. | |
Option 1 | |
|
|
Option 2 | |
|
|
Variant 3 | |
|
FOOTNOTES
[i] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[ii] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).
[iii] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[iv] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).
[v] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR at n.10.
[vi] The transfer of data from Europe to the United States arguably constitutes “processing” by the data subject and therefore is not subject to the GDPR at all, as the regulation does not apply to the processing carried out by a “natural person in the context of a purely personal or household activity. GDPR, art. 2(2)(c).
©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XII, Number 202
Comments are closed.