Document Set

The Advisera GDPR toolkit includes all the necessary documents needed for you to complete your GDPR-compliance journey. Since you are processing special categories of personal data (health data), I recommend performing a Data Protection Impact Assessment, per Article 35. As part of the Advisera GDPR Toolkit, there is a DPIA Methodology document that can help you. Also, you need to consider informing the data subjects affected by these transfers. As part of the GDPR Toolkit, there are templates for Privacy Notices.

As an American company, you need to check whether you are subject to FISA 702 US Regulation. If yes, you need to take additional measures in order to protect EU data, according to Chapter V in GDPR - TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS. The best transfer mechanism to use in this case is the EU Standard Contractual Clauses, per art Article 46 – Transfers subject to appropriate safeguards, but you need to take additional measures such as encryption of data-at-rest and in-transit, with a key stored on a server in EU.

The risks would be clearly reduced if you have full storage of data on EU servers managed by an EU organization.

Please also consult these resources:

• EU GDPR Toolkit: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
• Chapter V GDPR -  Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
• Article 46 GDPR - Transfers subject to appropriate safeguards: https://advisera.com/gdpr/transfers-subject-to-appropriate-safeguards/
• Article 35 GDPR - Data protection impact assessment: https://advisera.com/eugdpracademy/gdpr/data-protection-impact-assessment/
• 3 steps for data transfers according to GDPR: https://advisera.com/articles/3-steps-for-data-transfers-according-to-gdpr/