Data Privacy
The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. The GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for movement of data.
GDPR is broad in scope and uses broad definitions. “Personal data” is any information that relates to an identified or identifiable living individual (data subject) such as a name, email address, tax ID number, online identifier, etc. “Processing” data includes actions such as collecting, recording, storing and transferring data. A company that is not established in the Union may have to comply with the Regulation when processing personal data of EU and EEA residents (EEA countries are Norway, Lichtenstein and Switzerland): a) If the company offers goods or services to data subjects in the EU; or, b) If the company is monitoring data subjects’ behavior taking place within the EU.
The mere accessibility of a company’s website in the EU is insufficient to subject a company to GDPR, but other evidence of the intent to offer goods or services in the EU would be relevant.
As a general rule, companies that are not established in the EU but that are subject to GDPR must designate in writing an EU representative for purposes of GDPR compliance. There is an exception to this requirement for small scale, occasional processing of non-sensitive data.
The GDPR requires compliance for international personal data transfers. The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
Data Privacy RESOURCES for US Business
GDPR full text
https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504
USEACs & Foreign Commercial Service offices & market intelligence
https://www.export.gov/welcome
GDPR & EU-US Privacy Shield Recorded Webinar, 5/22/18: https://emenuapps.ita.doc.gov/ePublic/event/editWebReg.do?SmartCode=8QER
European Commission
http://ec.europa.eu/justice/data-protection/reform/index_en.htm
http://ec.europa.eu/justice/smedataprotect/index_en.htm
https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en
List of Data Protection Authorities in Member States:
https://edpb.europa.eu/about-edpb/board/members_en
Data Protection Authorities guidelines
https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
Commercial Service introductory report on international personal data transfers from the EU to the U.S.: https://www.export.gov/article?id=European-Union-Transferring-Personal-Data-From-the-EU-to-the-US
More information on Privacy Shield: https://www.privacyshield.gov/welcome
For general inquiries about EU data privacy legislation, please send an email to: office.brusselsec@trade.gov.
Notice to Visitors!
The link you have chosen will take you to a non-U.S. Government website.
If the page does not appear in 5 seconds, please click this: outside web site
Export.gov is managed by the International Trade Administration and external links are covered by its website disclaimer statement.
BuyUSA.gov is managed by the International Trade Administration and external links are covered by its website disclaimer statement.