GDPR COMPLIANCE: REGULATIONS FOR THE EXPORT OF PERSONAL DATA FROM THE EUROPEAN UNION
Compliance with GDPR is an urgent issue, since in recent years, when accessing any Internet resource, active users of the World Wide Web noted a change in privacy policy, as well as an update to this system.
There has also been a change in the type of request to save cookies (cookies) – temporary files and the possibility of using personal data.
This is due to the entry into force of the updated GDPR Regulation (GeneralDataProtectionRegulation) of the European Union No. 2016/679, which applies to all Internet pages from 05.25.2018.
REGULATIONS FOR THE EXPORT OF PD FROM THE EUROPEAN UNION ACCORDING TO THE GDPR REGULATION
The GDPR document sets forth the basic requirements and rules regarding the use of personal data (PD), as well as to all participants in the Regulation.
A very topical issue of the GDPR regarding organizations outside the EU is the requirement for the export (movement) of PD outside the territory of the Union of European States.
The main need to comply with the requirements of the GDPR Regulation is the case when the company acts:
- PD controller (datacontroller), namely manages his own data bank in the EU;
- a data processor (dataprocessor), which implies contact with the bank of personal data of members of the European Union.
There are a number of sanctions for non-compliance, so all companies that somehow work with users from the EU are required to adhere to the GDPR.
THE CONCEPT OF “EXPORT OF PD FROM THE EUROPEAN UNION” AND SUBJECTS OF DISTRIBUTION OF GDPR
The movement of PD from the EU countries occurs between the following data import and export entities:
- from a processor in the European Union – a subprocessor located outside the European Union;
- from a controller located in the European Union to a processor outside the EU;
- from the controller in the European Union – to the controller outside the European Union.
PERSONAL DATA EXPORT REGULATION ON GDPR
The fundamental principle of Ch. 5 of the GDPR Regulation on the permitted export of PD outside the EU states that regardless of where the PD is processed, the Regulation guarantees the established level of protection of the rights of individuals.
This regulation fully applies to the countries of the European Economic Area (CES), which in addition to the EU countries include Liechtenstein, Iceland, and Norway.
The export of personal information between the EU and the CES is positioned as the movement of PD across the EU.
WHAT ACTIONS DO THE NON-EUROPEAN WEB RESOURCES WORKING WITH THE RESIDENTS OF THE EUROPEAN UNION TAKE?
Countries that are not in the EU, but are data importers, must be prepared for such requests to be consistent with GDPR rules, without which doing business in the EU will become illegitimate.
Regardless of the location of the data importing country, all GDPR points apply to it regarding the organization of the necessary PD protection measures, as well as the appointment in some situations of a representative in the European Union, and a database protection inspector (DataProtectionOfficer, DPO).
Only after signing a bilateral agreement will it be possible to process PD on the guarantee of an EU controller.
Eternity Law International specialists will assist you in providing legal assistance in establishing compliance of your business structure with GDPR Regulation. Any difficulties can be overcome.
We will tell you which jurisdiction in the EU or outside it to choose to register and conduct your business. We will help you write Privacypolicy and other clauses in accordance with GDPR.