We help IT Professionals succeed at work.

GDPR compliance - not an “adequacy decision” country

24 Views
Last Modified: 2020-07-18
Hello!

Our corporate website's server is located in a country that's considered not an “adequacy decision” country, according to GDPR.
I'm aware that GDPR allows that (under certain conditions). It's just I don't understand exactly what must be done to match those requirement. GDPR says: "In the absence of an adequacy decision, the GDPR does allow a transfer if the controller or processor has provided “appropriate safeguards”. These safeguards may include:

Standard data protection clauses: Then some legal mumbo-jumbo that means nothing to me.
Binding corporate rules “BCRs”: Then some legal mumbo-jumbo that means nothing to me.

So as a Data Protection Officer - what exactly should I do (if anything)?
Comment
Watch Question

Principal Software Engineer
CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Dr.Klahn,
Thanks for your reply!
So basically, it's not a technical question, but a legal one...
And if the company is registered in the UK, then if I were to seek legal advice, I must turn to UK lawyer or any lawyer in EU could do that?
madunixExecutive IT Director, (EE MVE)
CERTIFIED EXPERT
Most Valuable Expert 2019

Commented:
Consult a Lawyer, GDPR affects any EU citizen/companies data regardless of where the data sits.  
It also addresses the transfer of personal data outside the EU and EEA areas, but here is something from their site where it states it expanded: Increased Territorial Scope (extraterritorial applicability).

This topic has arisen in several high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.

The GDPR applies to the processing of personal data of data subjects in the EU by a controller or processor not established in the EU, where the activities relate to offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behavior that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.

https://eugdpr.org/the-regulation/
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_3_2018_territorial_scope_en.pdf
http://arbitrationblog.practicallaw.com/the-need-for-a-data-protection-protocol-for-arbitration-proceedings/



Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.