The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What does a company need to do to transfer data from an office in the EEA to one of its offices or affiliates in the United States?
Answer: Before transferring personal data from an office in the European Economic Area to an office or affiliate in the United States a company needs to ensure that the recipient has appropriate safeguards in place. Existing appropriate safeguards are Standard Contractual Clauses, certification to the Privacy Shield, or the implementation (and approval) of Binding Corporate Rules.
Many companies find that the easiest strategy for doing a transfer between offices of the same company is putting in place Standard Contractual Clauses. These clauses pre-date the GDPR. Approximately 90% of European Union companies rely on Standard Contractual Clauses exclusively, or as part of their strategy for facilitating cross-border transfers of information. In addition to identifying and implementing a suitable adequacy measure, such as a Standard Contractual Clause, a company should make data subjects aware of the transfer and refer to the transfer in their data register or record of processing activities under Article 30.