RegSol Blog


Do you transfer data to U.S. companies?

September 2020

If you use third parties based in the US to process personal data on your behalf, whether it is to store data electronically or for the purposes of client relationship management, take note of where these providers send your clients’ data. 

In cases where third party service providers are US based and store your data in the US, beware of the following:

  • Where providers rely on the EU-U.S. Privacy Shield, this is now invalid (legal mechanism for transferring personal data from the European Economic Area (EEA to US is invalid).
  • Standard Contractual Clauses (SCCs) remain valid but are to be approached with caution. Data transfers based on SCCs need to be assessed on a case-by-case basis to ensure that the overall level of protection in the third country is essentially equivalent to that guaranteed within the EU. Depending on the sensitivity of the personal data to be transferred to the third country, SCCs might not permit the transfer of data. 
  • Binding corporate rules (BCRs) remain valid and provide a framework for companies to transfer data across borders within their own organizations. BCRs set up policies, procedures, guidelines, and practices that satisfy GDPR privacy standards. These must be approved by a relevant member state’s data protection authority (DPA), and in most member states, transfers will still require a “transfer notification” to the DPA.
  • Data Protection Authorities in the EU are to ensure that that they are providing adequate supervision and, if necessary, taking enforcement action where companies are not properly risk assessing their cross-border transfers. 
What should you do now?

  • You should check the privacy policies and or data protection agreements you currently have with U.S. companies.
  • If any of those policies or agreements refer to U.S. Privacy Shield you should contact that company immediately to request clarification and an update on the legal basis for them receiving personal data.
  • If you cannot obtain clarification you must consider using an alternative company to process the relevant personal data.

By Judy de Castro 
Regulatory Consultant