We live in a time when (cloud) services are offered worldwide and their use seems to be taken for granted. Before you know it, personal data for which you as an organization are responsible are abroad. Is that a bad thing? Not when the data resides within the European Economic Area (EEA). According to Article 3(3), the General Data Protection Regulation (AVG) makes no distinction between data in countries that are members of the European Union (EU), Norway, Liechtenstein and Iceland. Together, they make up the EEA. However, if you store or process data outside the EEA, this is not a simple matter and everything must be properly regulated. In this article, we outline what you need to pay attention to.
Inform data subjects
If you as an organization process personal data outside the EEA, you must inform data subjects about it. This should include an indication of the appropriate safeguards to protect privacy and how data subjects can receive information about this. Data subjects may have difficulty with data being processed and/or stored outside the EEA, for example, if it is not necessary for the purpose of the processing or it does not provide benefits to data subjects. This may be a barrier that prevents them from using services of the organization. It can also affect the organization's image. For example, how does it come across if the municipality or a healthcare institution stores data on the other side of the world?
Ensure appropriate safeguards
When data is stored/processed outside the EEA, the AVG requires that privacy is ensured at a similar level as within the EEA. This can be done in several ways:
by processing data in countries with an adequacy decision from the European Commission. Of these countries, the European Commission has determined that privacy is adequately guaranteed. Such decisions exist for Canada, Switzerland and Israel, for example.
The United States (US) also has an adequacy decision, but it only applies to US organizations that have certified for the EU-US Privacy Shield;
by contractual arrangements, such as model contracts (Standard Data Protection Clauses) defined by the European Commission that must be used unchanged;
by in-house rules (Binding Corporate Rules) approved by a regulator, such as the Autoriteit Persoonsgegevens.
Data may also be processed outside the EEA if an exception applies. This is the case, for example, when the processing of data is necessary for the performance of a contract or when the life of the data subject is at stake.
You will have to check the appropriate safeguards regularly. A decision once made can be reversed, for example by the courts. This happened a few years ago by the European Court with the adequacy decision for the U.S. based on Safe Harbor Privacy Principles. Its successor, EU-US Privacy Shield, is now also under fire. As an organization, are you prepared if at any time Privacy Shield is no longer valid?
Know where your data is
To properly inform data subjects and ensure appropriate safeguards, it is therefore necessary to know where the data is stored and processed. Often this remains unclear in processor agreements, or suppliers reserve the right to change the location of their servers and storage. When processing is taken outside the EEA, data subjects must be informed. You can only do that if you keep a grip on where the supplier processes and stores the data. Furthermore, the question is whether you want to have to deal with foreign legislation as a data controller.
To avoid image damage and/or unnecessary barriers, it is often better to stipulate in the processor agreement with a supplier that the data remain in the EU or EEA.
Make the trade-off: data inside or outside the EEA?
For many (smaller) organizations, processing data outside the EEA leads to a lot of extra hassle. Apart from the aspects mentioned above, image and the legal complexity that foreign legislation entails can also be reasons to look for alternative suppliers that process data within the EEA. Often these exist, but are (still) less known.
In any case, it pays to make the trade-off consciously.
Summary:
Know where the data is
Weigh alternatives and risks
Get it right, both with the supplier and with stakeholders
This article can also be found in the AVG file
