Does a U.S. controller need to use the SCCs when it onward transfers data received from a European to a non-EEA processor? Companies are allowed to transfer personal data outside the European Economic Area (EEA) if they are (1) transferring data to an entity that is within a country that has been recognized by the European Commission as ensuring an adequate level of protection or (2) they have put in place a European Commission-approved mechanism (a “safeguard”) that imposes many of the substantive provisions found within the GDPR. Read more.
Compliments Greenberg Traurig