The GDPR provides several arrangements to streamline legal compliance and provide guidance. This includes regulatory tools of self-regulation, co-regulation; and public-private partnerships such as codes of conduct, certification mechanisms, binding corporate rules, and standard data protection clauses. Full explanations of these are available in the Guide provided at the beginning of this series.
What if your business is outside of the EEA?
Take note! If you are located outside of the EEA but process and control personal data of EU citizens, the Regulation is applicable. End of! AND it doesn’t matter whether the actual processing or controlling of data is carried out within the EEA or elsewhere.
What if your business is within the EEA but you use tools and platforms that store data outside of the EEA?
The GDPR, like the Directive, does not contain any specific requirement that the personal data of EU citizens be stored only in EEA member states. Rather, the GDPR requires that certain conditions be met before personal data is transferred outside of the EEA, identifying a number of different legal grounds that organisations can rely on to perform cross-border data transfers.
One legal ground for transferring personal data set out in the GDPR is an “adequacy decision.” An adequacy decision is a decision by the European Commission that an adequate level of protection exists for the personal data in the country, territory, or organisation where it is being transferred.
This can be Standard Contractual Clauses or the EU-US Privacy Shield (when the recipient is based in the US). Further information on the Privacy Shield framework is provided in the Guide.
Third countries are considered those outside of the EEA (28 EU countries and Norway, Liechtenstein and Iceland). Their level of personal data protection is assessed by the European Commission. Also, as third countries’ level of protection will change over the years, the European Commission will review its adequacy decisions at least every four years.
The effect of such a decision is that personal data can flow from the EEA to that third country without any further safeguard being necessary.
The Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay as providing adequate protection.
If you would like further in-depth information on the GDPR please feel free to download my comprehensive Guide to GDPR. You will also receive limited follow-up support and gain access to a DATA AUDIT WORKBOOK, a CONSENT CHECKLIST and a GDPR CHECKLIST.
Please note: The GDPR series of articles on this blog do not promise to be either a full synopsis or full interpretation of the GDPR. Indeed I have simply taken the most important aspects of the GDPR I feel are relevant to the small business owner. Everything you read online about the GDPR will be some kind of an interpretation, synopsis or summary of the GDPR. Unless, of course, you read the full text in itself.