Local Time in Brussels: Print

Data Privacy

The EU General Data Protection Regulation (GDPR), which governs how personal data of individuals in the EU may be processed and transferred, went into effect on May 25, 2018. The GDPR is a comprehensive privacy legislation that applies across sectors and to companies of all sizes. It replaces the Data Protection Directive 1995/46. The overall objectives of the measures are the same – laying down the rules for the protection of personal data and for movement of data.

GDPR is broad in scope and uses broad definitions.  “Personal data” is any information that relates to an identified or identifiable living individual (data subject) such as a name, email address, tax ID number, online identifier, etc.  “Processing” data includes actions such as collecting, recording, storing and transferring data.  

A company that is not established in the Union may have to comply with the Regulation when processing personal data of EU and EEA residents (EEA countries are Norway, Lichtenstein and Switzerland):
a)    If the company offers goods or services to data subjects in the EU; or,
b)    If the company is monitoring data subjects’ behavior taking place within the EU.

The mere accessibility of a company’s website in the EU is insufficient to subject a company to GDPR, but other evidence of the intent to offer goods or services in the EU would be relevant.

As a general rule, companies that are not established in the EU but that are subject to GDPR must designate in writing an EU representative for purposes of GDPR compliance. There is an exception to this requirement for small scale, occasional processing of non-sensitive data.

The GDPR requires compliance for international personal data transfers.  The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.

Data Privacy RESOURCES for US Business

GDPR full text

https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504

USEACs & Foreign Commercial Service offices & market intelligence

https://www.export.gov/welcome

GDPR & EU-US Privacy Shield Recorded Webinar, 5/22/18: https://emenuapps.ita.doc.gov/ePublic/event/editWebReg.do?SmartCode=8QER

European Commission

http://ec.europa.eu/justice/data-protection/reform/index_en.htm

http://ec.europa.eu/justice/smedataprotect/index_en.htm

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en

List of Data Protection Authorities in Member States:

https://edpb.europa.eu/about-edpb/board/members_en

Data Protection Authorities guidelines

https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en


Commercial Service introductory report on international personal data transfers from the EU to the U.S.: https://www.export.gov/article?id=European-Union-Transferring-Personal-Data-From-the-EU-to-the-US

More information on Privacy Shield: https://www.privacyshield.gov/welcome

For general inquiries about EU data privacy legislation, please send an email to: office.brusselsec@trade.gov.


  Notice to Visitors!


  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  Export.gov is managed by the International Trade Administration and external links are covered by its website  disclaimer statement.


  Notice to Visitors!


  The link you have chosen will take you to a non-U.S. Government website.

  If the page does not appear in 5 seconds, please click this: outside web site

  BuyUSA.gov is managed by the International Trade Administration and external links are covered by its website disclaimer statement.