Transferring Personal Data from the EU to the U.S.:
EU General Data Protection Regulation (GDPR)

The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. The GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for movement of data.

GDPR is broad in scope and uses broad definitions.  “Personal data” is any information that relates to an identified or identifiable living individual (data subject) such as a name, email address, tax ID number, online identifier, etc.  “Processing” data includes actions such as collecting, recording, storing and transferring data.  

A company that is not established in the Union may have to comply with the Regulation when processing personal data of EU and EEA residents (EEA countries are Norway, Lichtenstein and Switzerland):

a) If the company offers goods or services to data subjects in the EU; or,

b) If the company is monitoring data subjects’ behavior taking place within the EU.

The mere accessibility of a company’s website in the EU is insufficient to subject a company to GDPR, but other evidence of the intent to offer goods or services in the EU would be relevant. 

As a general rule, companies that are not established in the EU but that are subject to GDPR must designate in writing an EU representative for purposes of GDPR compliance.  There is an exception to this requirement for small scale, occasional processing of non-sensitive data. 

The GDPR requires compliance for international personal data transfers.  The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

Please visit the main export.gov website for detailed information about GDPR.


  Notice to Visitors!


  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  Export.gov is managed by the International Trade Administration and external links are covered by its website  disclaimer statement.


  Notice to Visitors!


  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  BuyUSA.gov is managed by the International Trade Administration and external links are covered by its website disclaimer statement.