Table of contents

Transfer of personal data to the US - Is it allowed?

Transfer of personal data to the US - Is it allowed

Companies from the united states can get their hands on personal data. Consider Google, which can collect IP addresses through Google Analytics. Are you working with a U.S. party? Using the Data Privacy Framework, you can investigate whether the transfer of personal data to the U.S. is permitted and what considerations may be relevant. We provide an overview of the steps you can follow to make an informed decision....

What is the Data Privacy Framework?

The Data Privacy Framework includes agreements on the secure transfer of personal data to the US. On July 10, 2023, new agreements entered into force between the European Union and the US regarding the transfer of personal data from the European Economic Area (EEA) to the US. These agreements are known as the Data Privacy Framework.

Examples of Personal Data

  • IP addresses
  • Email addresses
  • Birth dates

Organizations in the U.S. can join the Data Privacy Framework. When they do, the transfer of personal data from the EEA to these organizations is allowed without the European party having to take additional legal and technical measures. These companies must comply with similar requirements to the AVG, including limiting access by U.S. intelligence agencies. However, companies that do not participate, such as those in the banking and insurance sectors, remain subject to strict conditions.

Step 1: Verify that the Organization Participates in the Data Privacy Framework

The first step is to verify that the U.S. organization to which you plan to transfer personal data participates in the Data Privacy Framework. You can do this by going to the Data Privacy Framework website and entering the name of the company you will be working with.

Step 2: Follow-up steps

Next, there are two possible scenarios:

Organization Participates in the Data Privacy Framework

If the U.S. organization to which you want to transfer personal data participates in the Data Privacy Framework, and if the specific product you want to use is also covered by this framework, you may transfer the personal data. You do not have to use any other transfer instrument or take any additional measures to protect the data.

Organization Does Not Participate in Data Privacy Framework

If the U.S. organization to which you want to transfer personal data does not participate in the Data Privacy Framework, you may be able to take additional measures.

  1. Use a Transfer Tool: You can use a transfer tool for transfers to a country outside the EEA, such as a model contract or binding corporate rules (BCR).
  2. Take Additional Measures: If necessary, you can take additional measures to protect personal data.

What might these additional measures be? To determine the appropriate additional measures, you can use the EDPB's"Recommendations for Measures Supplemental to Transfer Instruments." The EDPB lists several safeguards you can consider, such as proper encryption and pseudonymization. You should consider on a case-by-case basis what measure or combination of measures is necessary to properly protect personal data.

Having doubts?

Then the Dutch Personal Data Authority (AP) advises to additionally inquire with the organization itself whether the specific product also falls under the Data Privacy Framework.

How TAGGRS ensures that Personal Data is Protected.

Server Side Tracking

TAGGRS offers hosting software for Google Tag Manager Server Side Tracking. In these 3 ways, Server Side GTM ensures that you can be GDPR compliant:

  • Enhanced Control over Third-Party Data: Server Side GTM allows you to more precisely manage what data is sent to external parties such as Facebook, giving you control over the information they can see.
  • Secure Processing of Sensitive Info and PII: Server Side GTM helps you comply with the policies of platforms such as Google and Facebook by removing or hashing personally identifiable information (PII) such as IP addresses before sending it to external platforms.
  • Effective Data Management: Server Side GTM provides solutions such as hashing user data to the standards of different platforms and customizing Web site URLs before forwarding them to external parties, which is especially useful for protecting sensitive information in URLs.

See more in our blog on GDPR and Server Side Tracking.

GDPR Tool for Anonymization

TAGGRS offers a GDPR tool that effectively anonymizes personal data. This tool helps you comply with AVG regulations by ensuring that sensitive data is converted into a form that cannot be traced back to individuals.

GDPR-tool-taggrs-dashboard-1

Proprietary Server Locations

TAGGRS uses its own server locations, so data does not have to leave the country. This provides an additional layer of protection because the data can remain within the country's borders, which can help ensure compliance with local laws and regulations and minimize risks associated with international data transfers.

taggrs-server-locations-globe

Outro

Transferring personal data to the U.S. requires careful consideration. Check that your partner organization participates in the Data Privacy Framework and take additional measures if necessary. Tools such as those provided by TAGGRS allow you to effectively manage and protect personal data.

FAQ Data privacy framework

Why is TAGGRS not in the Data Privacy Framework?

TAGGRS is a European company, and the Data Privacy Framework is intended only for U.S. companies.

Is Google in the Data Privacy Framework?

Yes, Google participates in the Data Privacy Framework.

About the author

Recently published

magnifiercrossmenu linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram