SPRING DISCOUNT
Get 30% off on toolkits, course exams, and Conformio yearly plans.
Limited-time offer – ends April 25, 2024
Use promo code:
SPRING30

Expert Advice Community

Home / EU GDPR / Transfers of coded (pseudonymized) data from EU to US

Guest

Transfers of coded (pseudonymized) data from EU to US

EU GDPR
  Quote
Guest
Guest user Created:   Sep 11, 2018 Last commented:   Sep 11, 2018

Transfers of coded (pseudonymized) data from EU to US

EU GDPR
GDPR considers pseudonymized data as personal data, Privacy Shield is an accepted safeguard for data transfers to the US, but Privacy Shield states "A transfer from the EU to the United States of data coded in this way would not constitute a transfer of personal data that would be subject to the Privacy Shield Principles." I am not sure how to understand that.
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.
Expert
Andrei Hanganu Sep 11, 2018

1. If the US processor is certified in Privacy Shield, would that cover the transfer, or would standard contractual clauses need to be signed between the EU exporter and US importer (of could these be signed between the US controller and US processor on behalf of the EU exporter)?
2. Would the US controller need to make sure there was also a Data Processing Agreement between the US controller and US processor in place since EU coded data is being processed?
3. Is pseudonymized data still considered personal data once transferred to the US or would it not be personal data any more?

Answer:

Before answering your questions I just want to mention something regarding Privacy S hield. First of all Privacy Shield predates the EU GDPR and this is not 100% in line with its provisions and secondly it has been challenged in front of the European Court of Justice and its future is uncertain. Having this in mind I would advise against using Privacy Shield as a safeguard to transfer data to the US.

1. To be sure that your transfer would not be challenged by any Supervisory Authority and that it won't be affected by the outcome of the Privacy Shield litigation, I would advise using controller to processor Standard Contractual Clauses to legitimize your transfer to an US processor. The SSCs can be signed by a US controller on behalf of the EU exporter. The EU would need to issue a power of attorney to the US entity to enter into a SSC based Data Transfer Agreement.
2. The US controller would basically act on behalf of the EU controller which is needed to ensure the legality of all onward transfers.
3. Yes, as long as the data belong to data subjects “in the Union” even if is pseudonymized it would still be considered personal data.

To find out more about international data transfers check out our webinar “How to make personal data transfers to other countries compliant with GDPR” (https://advisera.com/webinars/how-to-make-personal-data-transfers-compliant-with-gdpr-free-webinar-on-demand/).

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Sep 11, 2018

Sep 11, 2018

Suggested Topics
Guest user Created:   Feb 23, 2023 EU GDPR
Replies: 1
0 0

Data privacy question