The GDPR requires that when a “controller or processor … transfer[s] … data to a third country” that is not considered to have data protection laws analogous to those within the European Union, it utilizes an adequacy measures. In situations where an individual within the European Union is initiating the transfer to a company located outside of the European Union, the receiving entity is not “transferring” the data out of the EU, as it never exercised control over the data within the EU. Put differently, in such cases “there is no controller or processor sending or making the data available” and, as a result, the receiving entity is not required to utilize an adequacy measure. For example, if the individual transmitting the information does so in order to make a personal transaction or purchase (e.g., a purchase from a U.S. eCommerce website), their actions are exempt from the application of the GDPR.

Companies that are located in the United States and often receive data directly from data subjects in the European Union may want to make sure (if it is not obvious) that the data subject knows that he or she is transmitting information to the United States and consider asking the data subject to consent to the transfer.