Transfers of coded (pseudonymized) data from EU to US
Assign topic to the user
1. If the US processor is certified in Privacy Shield, would that cover the transfer, or would standard contractual clauses need to be signed between the EU exporter and US importer (of could these be signed between the US controller and US processor on behalf of the EU exporter)?
2. Would the US controller need to make sure there was also a Data Processing Agreement between the US controller and US processor in place since EU coded data is being processed?
3. Is pseudonymized data still considered personal data once transferred to the US or would it not be personal data any more?
Answer:
Before answering your questions I just want to mention something regarding Privacy S hield. First of all Privacy Shield predates the EU GDPR and this is not 100% in line with its provisions and secondly it has been challenged in front of the European Court of Justice and its future is uncertain. Having this in mind I would advise against using Privacy Shield as a safeguard to transfer data to the US.
1. To be sure that your transfer would not be challenged by any Supervisory Authority and that it won't be affected by the outcome of the Privacy Shield litigation, I would advise using controller to processor Standard Contractual Clauses to legitimize your transfer to an US processor. The SSCs can be signed by a US controller on behalf of the EU exporter. The EU would need to issue a power of attorney to the US entity to enter into a SSC based Data Transfer Agreement.
2. The US controller would basically act on behalf of the EU controller which is needed to ensure the legality of all onward transfers.
3. Yes, as long as the data belong to data subjects “in the Union” even if is pseudonymized it would still be considered personal data.
To find out more about international data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).
Comment as guest or Sign in
Sep 11, 2018