Transferring and Storing Data outside of the GDPR Zone – Using TargetCW and StaffingNation Globally
In the realm of cyber data, the requirement to understand data protection policies beyond a person’s own location is often a requirement. For instance, if a person located in the US is accessing information of another person who is located within the European Economic Area, there is a requirement to comply with the rules as set forth under the GDPR. This is because a person’s data protection rights are relevant regardless of where in the world the information is sent. This article will clarify what to look out for when you are sending or receiving personal information from outside of the EEA.
What Are the Rules?
It is important to remember that EU Data is permitted to be transmitted and stored in other countries as long as the other country’s requirements are equal to, or stronger than, GDPR requirements. For instance, the California Consumer Privacy Act of 2018, commonly referred to as AB375, was brought in specifically to align with global data protection regulations such as the GDPR. AB375 is considered to be as safe as the GDPR, and in that regard information is able to be stored in any server in the state without worry of noncompliance with GDPR. Many states across the US also have similar data protection laws as AB375.
Generally, as long as the information is able to be deleted at the individual’s request, if they must know in advance whether it will be sold and where to (and agree to that), and where there is clarity surrounding which data is collected and for what purpose, there will be compliance with GDPR. An example of a country where the data protection laws are not in line with the GDPR include Canada, where the ‘Personal Information Protection and Electronic Documents Act’ is not considered to be favourable by the EU due to its non-adherence to the standards set out in the GDPR.
When transferring and storing data for any individual that resides in the EU, there is a requirement to comply with the terms of the General Data Protection Regulations (GDPR). The GDPR mainly applies to people and businesses that control and process information in the European Economic Area, which is technically wider than the EU, which includes Norway, Iceland and Lichtenstein.
If an individual who resides in the EEA has their information sent outside that area, they are at risk of losing GDPR protection. For this reason, the GDPR placed restrictions on transferring personal data outside the EEA unless those individual’s rights are otherwise protected in the same way that the GDPR protects it. Any transfer of an EEA resident’s information outside of the GDPR regulatory area is considered a restricted transfer and normally involves transfers that originate in the EEA which are then sent outside of it.
The GDPR restricts the transfer of such personal data even between international organizations. This restriction applies to all transfers regardless of the amount of transfers or their size. A transfer is considered to be restricted if:
The GDPR is applicable to personal data information being processed and transferred. As Article 2 of the GDPR sets out what is considered processing of personal data, and Article 3 also has to be given weight as it applies to the jurisdictions where the GDPR is applicable.
If you are processing any personal data within the EEA, or processing personal data of individuals who live in the EEA from a position outside of the EEA.
If you send or make accessible any personal data to any receiver where the GDPR does not apply, due to the location being outside the EEA.
If a separate individual or organization will be the receiver of the information being sent. The receiver is defined as someone that is not employed by the person or by the same company, and it can include a company that is in the same umbrella of a larger corporation to which you do work.
It is important to remember that a transfer is not the same thing as a transit. If the personal data is simply being electronically routed through a non-EEA country, and the transfer is actually between EEA countries, then that would not be considered as a restricted transfer. A person would only be making a restricted transfer if information is collected on paper in a non-structured or disorganized way, and that information is sent to a service company that is located outside of the EEA for the following purposes:
In order to put it into a digital form;
In order to add to a manual filing system that relates to all individuals and is highly structure;
In order to place personal data on a website.
The restricted transfer would then take place when a person located outside the EEA accessed the individual’s personal data through a website. If the information is loaded onto a server within any country located in the EEA but you believe that the information will also be accessed from outside that area, it should be looked at as being a restricted transfer.
The only time where the GDPR is not applicable is in the areas of either ongoing medical attention or legal related topics when the purpose for supplying such information has been court ordered. At any point where a court located in any jurisdiction requests information be provided to them, it is clear of any GDPR requirement, for the sole purpose of sending the information to the necessary court or legal professional as ordered.
It is best to take a safe position in terms of data, by considering the restricted transfer status that some information falls into. Understanding when that applies is key to ensuring that compliance with data protection rights is met. It is important to remember that an individual’s rights over their data protection are valid wherever in the world they are sent in the way that is set out by the GDPR if the person lives in the EEA. There are only two general exceptions; when a person is working for an international company and their information is sent within that company across country borders, or where there is a request from a court for specific information to be provided, mainly in relation to health or legal perspectives. However, any information which is deemed necessary by a court has a right to be sent regardless of the protections the GDPR allows.
TargetCW is Privacy Shield Certified and GDPR Compliant.