3 tips for processing personal data outside the EU

Does your company save personal data of EU citizens outside the EU? In that case you also have to comply with the European privacy regulation, the GDPR. Even if somebody else processes the data for you. How do you arrange this?

Processing personal data outside the EU

There are three ways in which you can comply with the General Data Protection Regulation (GDPR) when processing data outside the EU, i.e.:

1. You use standard contractual clauses drafted by the EU in the contract with the processor.
2. Your organisation uses binding corporate rules. In these rules, the organisation lays down safeguards for the transfer of personal data to parts of the organisation outside the EU. Without these safeguards, processing of personal data is not allowed. Not even if the data remains within the same company.
3. You have the data processed in a country for which the European Commission has issued an adequacy decision. This is a declaration by the Commission that the protection of personal data in the country in question complies with the GDPR.

Privacy Shield

A variant of option 3 is the EU-US Privacy Shield. The USA as a whole do not offer an adequate level of data protection. Companies and organisations in the USA can be certified if they comply with the framework of the Privacy Shield and can have this recorded with the US Department of Commerce. European companies can have these registered companies process data of EU citizens. However, this Privacy Shield has been invalidated, which also had consequences for the use of the standard contractual clauses.

To resolve this, the European Commission has taken two measures. Firstly, the standard contractual clauses have been amended, so that they can be used again. In addition, the EU and the US are providing a supplementary arrangement for the Privacy Shield, the Trans-Atlantic Data Privacy Framework.

Standard contractual clauses

To help you make arrangements with your processor outside the EU, the EU has drawn up standard contractual clauses you can use for this purpose. After the Privacy Shield was declared invalid, these standard contractual clauses were tightened. The new clauses can be found here in English.

Please note: If your processor has data of EU citizens processed outside the EU by another processor outside the EU, their agreement must provide the same level of protection. So even if both parties to the processing agreement are established outside the EU, it might be necessary to make use of the standard contractual clauses. Make sure your processor knows this!

The parties are not required to use the standard contractual clauses but they will have to lay down at least the same level of protection as guaranteed by the standard contractual clauses in an agreement. This will not be easy.

The standard contractual clauses are meant for different types of agreements. Please note: The standard contractual clauses are available in modules and in various implementing acts. Moreover, various options can be chosen within the standard clauses. Good legal advice is therefore very important.

Trans-Atlantic Data Privacy Framework (TADP)

Words are just words. So the clauses as such do not say everything. Especially, if binding legislation in the country of the processor clashes with the standard clauses there will be a problem. In that case, it must be agreed how the processor can safeguard that its own government will not get access to the data of EU citizens if the government does not have a ground under the GDPR. This was the case with the processing of personal data in the United States. Therefore, the EU-US Privacy Shield was declared invalid.

This, however, does also have consequences for the use of the standard contractual clauses. After all, it is difficult for companies in the USA to give safeguards about the behaviour of the US security services. That is why the EU and the USA are working on a new scheme: the Trans-Atlantic Data Privacy Framework. What will it include?

According to a declaration of the White House, in this arrangement, the USA undertakes to:

1. Strengthening of the safeguards for privacy and civil freedoms governing the signals intelligence activities.
2. Establishment of a binding complaints procedure with an independent authority.
3. Improvement of the already existing rigorous and layered oversight of signals intelligence activities.

According to the EU, this will comply with the GDPR. In the coming period, these objectives will be elaborated in legal regulations.

The Trans-Atlantic Data Privacy Framework will not substitute the Privacy Shield but is complementary to it. The system of the Privacy Shield remains intact. However, the Privacy Shield will only become relevant again if the TADP enters into force. Until then, you can make use of the new standard contractual clauses in contracts with processors in the US. If it involves processing by another part of your organisation, you can make use of the binding corporate rules.

And no doubt the question whether the TADP does comply with the GDPR will also be brought before the European Court.

Privacy lawyers and GDPR

Do you have any questions about standard contractual clauses or do you want us to draft binding corporate rules? Do you have any other questions concerning privacy and the processing of personal data? Please contact us: