taggrs-logo

Transfer of personal data to the US – Is it allowed?

Transfer of personal data to the US - Is it allowed

Companies from the united states can get their hands on personal data. Consider Google who can collect IP addresses through Google Analytics. Are you working with an American party? Using the Data Privacy Framework, you can examine whether the transfer of personal data to the U.S. is permitted and what considerations may be relevant. We offer an overview of the steps you can follow to make an informed decision….

What is the Data Privacy Framework?

The Data Privacy Framework includes agreements on the secure transfer of personal data to the US. On July 10, 2023, new agreements entered into force between the European Union and the US regarding the transfer of personal data from the European Economic Area (EEA) to the US. These agreements are known as the Data Privacy Framework.

Examples of Personal Data

  • IP addresses
  • Email addresses
  • Birth dates

Organizations in the U.S. can join the Data Privacy Framework. When they do, the transfer of personal data from the EEA to these organizations is permitted without the European party having to take additional legal and technical measures. These companies must comply with similar requirements to the GDPR, including restricting access by U.S. intelligence agencies. However, companies that do not participate, such as those in the banking and insurance sectors, remain subject to strict conditions.

Step 1: Verify that the Organization Participates in the Data Privacy Framework

The first step is to verify that the U.S. organization to which you want to transfer personal data participates in the Data Privacy Framework. You can do this by going to the Data Privacy Framework website and entering the name of the company you will be working with.

Step 2: Follow-up steps.

Next, there are two possible scenarios:

Organization Participates in the Data Privacy Framework

If the U.S. organization to which you want to transfer personal data participates in the Data Privacy Framework, and if the specific product you want to use is also covered by this framework, you may transfer the personal data. You don’t have to use any other transmission tool for this, nor do you have to take any additional measures to protect the data.

Organization Does Not Participate in Data Privacy Framework

If the U.S. organization to which you want to transfer personal data does not participate in the Data Privacy Framework, you may be able to take additional measures.

  1. Use a Transfer Tool: You can use a transfer tool for transfers to a country outside the EEA, such as a model contract or binding corporate rules (BCR).
  2. Take Additional Measures: If necessary, you can take additional measures to protect personal data.

What might these additional measures be? To determine the appropriate additional measures, use the EDPB’s“Recommendations for Measures to Supplement Pass-Through Instruments.” The EDPB lists several safeguards you can consider, such as proper encryption and pseudonymization. You must consider on a case-by-case basis what measure or combination of measures is necessary to properly protect personal data.

Having doubts?

Then the Dutch Personal Data Authority (AP) advises to additionally inquire with the organization itself whether the specific product also falls under the Data Privacy Framework.

How TAGGRS ensures that Personal Data is Protected.

Server Side Tracking

TAGGRS offers hosting software for Google Tag Manager Server Side Tracking. In these 3 ways, Server Side GTM ensures you can be GDPR compliant:

  • Improved Control over Third-Party Data: Server Side GTM allows you to more precisely Administer what data is submitted to external parties such as Facebook, giving you control over the information they can see.
  • Secure Processing of Sensitive Info and PII: Server Side GTM helps you comply with the policies of platforms such as Google and Facebook by removing or hashing personally identifiable information (PII) such as IP addresses before submitting it to external platforms.
  • Effective Data Management: Server Side GTM provides solutions such as hashing user data to the standards of different platforms and customizing website URLs before forwarding them to external parties, which is especially useful for protecting sensitive information in URLs.

See more in our blog on GDPR and Server side tracking.

GDPR Tool for Anonymization

TAGGRS offers a GDPR tool that can effectively anonymize personal data. This tool helps you comply with GDPR regulations by ensuring that sensitive data is converted into a form that cannot be traced back to individuals.

GDPR-tool-taggrs-dashboard-1

Proprietary Server Locations

TAGGRS uses its own server locations, so data does not have to leave the country. This provides an additional layer of protection because the data can remain within the country’s borders, which can help ensure compliance with local laws and regulations and minimize risks associated with international data transfers.

taggrs-server-locations-globe

Outro

Transferring personal data to the U.S. requires careful consideration. Check if your partner organization participates in the Data Privacy Framework and take additional measures if necessary. With tools like those from TAGGRS, you can effectively Admin and protect personal data.

FAQ Data privacy framework

Why is TAGGRS not in the Data Privacy Framework?

TAGGRS is a European company, and the Data Privacy Framework is intended only for U.S. companies.

Is Google in the Data Privacy Framework?

Yes, Google participates in the Data Privacy Framework.


About the author

Ate Keurentjes

Ate Keurentjes

Server Side Tracking Specialist at TAGGRS

Ate Keurentjes is a Server Side Tracking specialist at TAGGRS. He has experience with various Google Tag Manager concepts. Keurentjes has been editing and writing about the latest developments and trends in data collection / Server side tracking since 2023.

Ready for the next level?

Start with Server Side Tracking and generate more revenue and conversions in a world without third-party cookies.