Assign topic to the user
It is important to know the entity that offers the service to your customers. If it is the US entity, a transfer takes place because you manage your Google Cloud Platform instance so you have access to that personal data as a service provider. In its “Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR”, the European Data Protection Board gives three conditions for an international personal data transfer to take place:
- A controller or a processor is subject to the GDPR for the given processing
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller, or processor (“importer”).
- The importer is in a third country or is an international organization, irrespective of whether or not this importer is subject to the GDPR in respect of the given processing in accordance with Article 3
So if the US company is signing the contract with your EU customer, you should sign Standard Contractual Clauses (SCC) with additional Technical and Organizational Measures (TOM), to demonstrate protection of personal data from access by US authorities. If you have an EU company under control signing the contract with your EU customer, you don’t need to sign an SCC. However you must check whether your US company falls under FISA 702, in which case you should adopt additional TOMs to demonstrate protection of personal data from access by US authorities, and add them to the standard Data Protection Agreement. Also I recommend performing a DPIA regarding these transfers.
Please consult these links as well:
- Article 3 GDPR – https://advisera.com/eugdpracademy/gdpr/territorial-scope/
- Chapter V GDPR – https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
- EDPB Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
- EDPB Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR: https://edpb.europa.eu/our-work-tools/documents/public-consultations/2021/guidelines-052021-interplay-between-application_en
- 5 phases of the EU GDPR Data Protection Impact Assessment: https://advisera.com/eugdpracademy/knowledgebase/5-phases-of-the-eu-gdpr-data-protection-impact-assessment/
- EU GDPR Toolkit that contains DPIA methodology: https://advisera.com/eugdpracademy/eu-gdpr-documentation-toolkit/
Comment as guest or Sign in
Apr 25, 2022