FAQs
Storage of data outside the EU is forbidden by the GDPR, however - no rules without exceptions e.g.: Personal data about air passengers are shared more liberally, e.g. shared with the US and Australia.
Can EU data be stored in the US? ›
On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the Data Privacy Framework.
Does GDPR apply to data collected outside the EU? ›
The GDPR sets out detailed requirements for companies and organisations on collecting, storing and managing personal data. It applies both to European organisations that process personal data of individuals in the EU, and to organisations outside the EU that target people living in the EU.
How does the EU protect their data? ›
The GDPR lists the rights of the data subject, meaning the rights of the individuals whose personal data is being processed. These strengthened rights give individuals more control over their personal data, including through: the need for an individual's clear consent to the processing of his or her personal data.
Can you use mobile data outside the EU? ›
Before you travel, check the roaming costs for the country you are visiting with your mobile provider. The charges for roaming outside of the EU are considerably higher than within the EU. This can be upwards of €5 per megabit.
Does GDPR apply to the US? ›
Yes, the GDPR can apply to businesses in the US or any business outside the European Union. As per Article 3 of the GDPR, the territorial scope of the GDPR applies to businesses regardless of whether the processing takes place in the European Economic Area (EEA).
Does GDPR apply to US citizens visiting the EU? ›
According to the Recital 14 of the legislation, its guidelines apply to all individuals in Europe, regardless of their place of residence. Here are some scenarios to understand more about GDPR compliance for US citizens: An American visits Germany. The tourist places an online order for food in a local restaurant.
What is the extraterritorial scope of the GDPR? ›
Even if a company is not established in the EU, the GDPR can still apply if the company (a) “targets” individuals in the EU by offering them products or services; or (b) “monitors” their behavior, as far as that behavior takes place in the EU.
Does GDPR cover all of Europe? ›
The EEA GDPR applies to all 27 member countries of the European Union (EU). It also applies to all countries in the European Economic Area (the EEA). The EEA is an area larger than the EU and includes Iceland, Norway, and Liechtenstein.
What is the difference between GDPR and the US? ›
The GDPR is one of the most comprehensive data protection laws in the world and provides an overarching framework for the processing of personal data in the EU. By contrast, U.S. state laws are more targeted in their scope and contain a narrower set of obligations.
Lawfulness, fairness, and transparency; ▪ Purpose limitation; ▪ Data minimisation; ▪ Accuracy; ▪ Storage limitation; ▪ Integrity and confidentiality; and ▪ Accountability. These principles are found right at the outset of the GDPR, and inform and permeate all other provisions of that legislation.
Which countries are EU adequate for data protection? ›
Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Isle of Man, Israel, Japan (private-sector organisations only), Jersey, New Zealand, Switzerland and Uruguay. These are the countries, territories or sectors that the European Commission has made a finding of adequacy about.
Can a data controller transfer personal data to us? ›
Personal data transfers from controllers and processors in the EU to DPF certified organisations in the U.S. may take place without the need to obtain any further authorisation.
What countries are adequate for EU data transfer? ›
In total there are 16 adequacy decisions in place, respectively for Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom (under the GDPR and the LED) , the United States (for commercial ...
Is the US an adequate country under GDPR? ›
On 10 July 2023 the European Commission formally recognised the Framework as providing an adequate level of data protection, bringing the Framework into operation for EU-US transfers.