January 23, 2022

Volume XII, Number 23

Advertisement
Advertisement

January 21, 2022

Subscribe to Latest Legal News and Analysis

January 20, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

When a European Union data subject transmits data directly to a US company, is an adequacy measure required?

No.

The GDPR requires that when a “controller or processor … transfer[s] … data to a third country” that is not considered to have data protection laws analogous to those within the European Union, it utilizes an adequacy measures.[1] In situations where an individual within the European Union is initiating the transfer to a company located outside of the European Union, the receiving entity is not “transferring” the data out of the EU, as it never exercised control over the data within the EU. Put differently, in such cases “there is no controller or processor sending or making the data available” and, as a result, the receiving entity is not required to utilize an adequacy measure.[2] For example, if the individual transmitting the information does so in order to make a personal transaction or purchase (e.g., a purchase from a U.S. eCommerce website), their actions are exempt from the application of the GDPR.[3]

Companies that are located in the United States and often receive data directly from data subjects in the European Union may want to make sure (if it is not obvious) that the data subject knows that he or she is transmitting information to the United States and consider asking the data subject to consent to the transfer.[4]


[1] GDPR, Article 46(1).

[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, adopted on 18 Nov. 2021, at para. 12.

[3] GDPR, Article 2(c) (stating that the GDPR does not apply to the processing by a natural person in the course of a personal or family activity).

[4] GDPR, Article 49(1)(a).  If consent is obtained, a company could also argue that the transfer is permitted under the exception to the prohibition on cross-border transfers where a “data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks . . . due to the absence of an adequacy decision and appropriate safeguards.”  GDPR, Article 49(1)(a).

©2022 Greenberg Traurig, LLP. All rights reserved. National Law Review, Volume XI, Number 335
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

David A. Zetoony Privacy Attorney Greenberg Traurig
Shareholder

David Zetoony, Co-Chair of the firm's U.S. Data, Privacy and Cybersecurity Practice, focuses on helping businesses navigate data privacy and cyber security laws from a practical standpoint. David has helped hundreds of companies establish and maintain ongoing privacy and security programs, and he has defended corporate privacy and security practices in investigations initiated by the Federal Trade Commission, and other data privacy and security regulatory agencies around the world, as well as in class action litigation. 

David receives regular recognitions from clients and peers for...

303.685.7425
Advertisement
Advertisement
Advertisement