I have an EU customer requesting we add SCCs to our DPA. We are a company located in the US but have an EU instance on which all EU data is stored. None of the data in the application (email and IP address) is transferred across borders. EU data is stored on the GCP in ***. The customers is asking that we add SCCs as an appendix to our DPA (which is OK if it makes them feel better). However, they are asking us to also include a TOMs all of which is described in details in our SOC2 report and we are ISO 27701 certified. Is the TOM's mandatory since technically the SCCs are not since no data is transferred and we are just adding them SCCs to make this customer happy?
It is important to know the entity that offers the service to your customers. If it is the US entity, a transfer takes place because you manage your Google Cloud Platform instance so you have access to that personal data as a service provider. In its “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, the European Data Protection Board gives three conditions for an international personal data transfer to take place:
A controller or a processor is subject to the GDPR for the given processing
This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3
So if the US company is signing the contract with your EU customer, you should sign Standard Contractual Clauses (SCC) with additional Technical and Organizational Measures (TOM), to demonstrate protection of personal data from access by US authorities. If you have an EU company under control signing the contract with your EU customer, you don’t need to sign an SCC. However you must check whether your US company falls under FISA 702, in which case you should adopt additional TOMs to demonstrate protection of personal data from access by US authorities, and add them to the standard Data Protection Agreement. Also I recommend performing a DPIA regarding these transfers.