Here’s how to manage data transfer abroad with the GDPR Privacy Shield List

By | Communication privacy management, News |

With the increase of e-commerce and internet landing of many companies that, also due to the Covid pandemic, have transferred several activities on the web, the management and processing of data according to the EU GDPR has returned to the forefront of information requests. Data transfer flows are two-way:

There are cases of companies based abroad that collect and process sensitive data in the EU, protected by the GDPR.
And then there are the cases of companies that, instead, collect personal data in Europe, to transfer and manage them abroad.

EU US Privacy Shield GDPR. The agreement that has dispelled the doubts about the owners and managers of personal data and the transfer of personal data collected in the EU

The Privacy Shield GDPR Compliance, the privacy protection mechanism between the EU and the US, is a self-certification mechanism for companies established in the US that wish to receive and manage personal data from the European Union. Let’s take a concrete example: a company based in the USA that owns online software for newsletter services, how does it process and manage personal data collected in Europe and protected by GDPR?

From non-EU companies based in the USA that collect protected data in Europe, how is GDPR’s Privacy Policy treated?

But the cases may be even more obvious. We are thinking of a US company that intends to recruit European staff to carry out some of its activities in the EU and to transfer the sensitive and personal data of its EU employees to the US.

In these cases the benefits of privacy shield comes to the rescue.

This is an agreement to which the US company concerned asks to adhere and which is then included in the Privacy Shield List. The agreement foresees that after a short time the privacy shield certification will be taken, by the US companies that commit themselves to respect the principles of EU Privacy Protection under the GDPR. In addition, they must provide European data owners of personal data that have been transferred to the U.S. with the appropriate protection tools or they will be removed from the Privacy Shield List as a company certified by the U.S. Department of Commerce. The European Commission has considered that the system offers an adequate level of protection for personal data transferred from an individual in the EU to a company established in the US and that, therefore, the Privacy Shield is a source of legal safeguards with regard to such data transfers.

The Privacy Shield is applicable to all categories of personal data transferred from the EU to the U.S., including business information, health or human resources data, provided that the U.S. company receiving such data has self-certified its adherence to the scheme.

The distinction between the roles of individuals identified to protect and manage the personal information

As is well known, the subjects who have ownership of the processing of personal data are:

The Data Controller: which is “the natural or legal person who determines the purposes and means of the processing of personal data. In essence, the Data Controller is the one who processes the data without receiving instructions from others and who decides why and how the data should be processed. In the case of an online email marketing tool it is the one who opens the account.
The data subject: who is the natural person to whom the personal data relate. An aside to clarify that the continuous technological evolution of the company makes us all stakeholders in the processing of personal data. Just think about the capillarity of video control systems, fidelity cards, and so on, to understand that in every moment we are potential stakeholders of data processing.
The data controller or data processor: which is the natural or legal person who processes personal data on behalf of the data controller. In the world of the web these figures are, for example, the internet companies that own the email marketing service tools, as in the case in point, but also web hosting. It should be borne in mind that whoever processes data on behalf of the owner is responsible for the processing, as is the case with web hosting.

As made clear, the data controller is a separate entity from the data controller and may be internal or external to the company. The data controller is responsible for the management. It must choose entities that provide sufficient guarantees in terms of specialist knowledge, reliability and resources to guarantee and implement the safety principle of the GDPR with technical and organizational measures that meet the requirements of the Regulation.

Therefore, the controller shall:

have qualified expertise;
ensure particular reliability, for example the absence of criminal convictions;
have adequate technical resources for the implementation of the obligations arising from the designation contract and the relevant rules. If it is an internal subject within the company the resources will be borne by the owner.

This is why many cloud data management services have been developed – as well as the appointment of the DPO or Data Protection Officer – to make it relatively easy for the data controller to manage personal data collected in the EU and transferred to the USA.

The typology of EU data processed by US companies can be:

name, email, address or telephone number;
device information;
ways of interacting with your email;
the IP address;
date and time of connection or opening and clicking on links;
possibly other data collected by social networks, such as when we log in via Facebook or Google.

Therefore, the Data Controller must comply with European standards and to do so must:

sign the “Data Processing Agreement”, i.e. the data processing agreement with the data controller;
activate the GDPR Fields in the service registration form.

Data transfer abroad

Transfer of Data Abroad means the flow or cross-border transfer of personal data to a recipient subject to a foreign jurisdiction.

For the avoidance of misunderstandings and alarms, the simple publication of personal data on a website does not involve transfer abroad.

Only direct communication to specific recipients is covered by the notion of “cross-border data flow” and, therefore, only in this case is data transfer from a country covered by the EU GDPR to a foreign country intended.

In general, the transfer of personal data outside the EEA – European Economic Area – is permitted if the recipient guarantees a level of data protection adequate to the European level.

There are 2 adequacy cases:

The first concerns the transfer of data abroad when the third country guarantees a level of data protection adequate to that of Europe and the GDPR and is included in the Privacy Shield List. In any case, the adequacy is assessed on the basis of the:

nature of the data;
purpose of the processing;
the possibility of such data passing through other countries before reaching their final destination;
legal provisions, including sectoral ones;
security measures and Data Breach envisaged.

The second case concerns the transfer of personal data to countries which do not guarantee an adequate level of protection. The example is that of the Data Controller of a company based in Europe, who can enter into a contract with the owner of the company in the third country. Whose clauses in the international contract must be such as to offer an adequate level of protection for the processing of the personal data transferred. In particular as regards a satisfactory level of security and the protection of the rights of the persons concerned, with effective redress mechanisms.

Clearly, the transfer and management of personal data abroad is a complex matter that cannot be solved in these few lines. Also because, since this is an international contractual matter, many rules and standards to be defined for the different fields of action come into play:

contractual clauses between the data controller, the controller, the recipient;
binding rules and effective rights;
code of conduct;
certification mechanism.

This is why in such cases the intervention of a lawyer expert in the international processing and management of sensitive and personal data is mandatory.

Ed that’s why we recommend the legal advice of the team of lawyers experienced in the management of Privacy under the GDPR EU of the International Law Firm Damiani&Damiani.

Fill out the form and submit your case

Your name your surname (required)

Your email (required)

Phone (required)

Object

Your message

Your name your surname

Δ

Legal News

Here’s how to manage data transfer abroad with the GDPR Privacy Shield List

EU US Privacy Shield GDPR. The agreement that has dispelled the doubts about the owners and managers of personal data and the transfer of personal data collected in the EU

In these cases the benefits of privacy shield comes to the rescue.

The distinction between the roles of individuals identified to protect and manage the personal information

Data transfer abroad

Related Post

Investing in Turkey

Let’s StartUp: the counselling programme for innovative start-ups and SME

Watch out online SCAM

Sicily investment: Time to invest in Sicily!

Damiani and Damiani International Law Firm & Services partecipated to the 4th International Lawyer Trade Fair

Start business with 1 euro – Italian innovation starts from Palermo

Criminal law: Driving under the influence

A Digital Single Market Strategy: European Union in the digital era

Search

Categories

Recent Posts

How to Apply for Italian Citizenship by Descent: Requirements, Process, and Benefits

New Fee for Recognition of Italian Citizenship 2025 amid doubts of fairness and profiles of unconstitutionality

Italian citizenship loophole. The through italian citizenship by descent new ruling

Residence Permit for Family Reunification: When the expulsion of the parent is contrary to the interests of the minor

Contact Us

Avv. Damiani