All data subjects have specified rights with respect to the use of their personal data held by a controller or processor. In general, the EU does not list the US as one of the countries that meets this requirement and therefore a data transfer to the US requires further safeguards.
The Privacy Shield was a certification for US companies which the EU recognised as providing adequate safeguards. It only applied to the company that the data was being transferred to and then only for the specific service. From a practical perspective relying upon the Privacy Shield was relatively simple, visiting the Privacy Shield website and ensuring that the company (and service) you are transferring to was listed.
The Privacy Shield has now been replaced in the EU by the Data Privacy Framework (dataprivacyframework.gov) which the UK has in effect adopted as part of its own UK to US data bridge. Therefore a data transfer can take place if the organisation that the data is being transferred to has been certified on the EU Data Privacy Framework. Should the organisation not be certified then the transfer the company should not be deemed adequate and therefore other appropriate safeguards must be put in place instead.
How can ProvePrivacy Help?
Whilst this may appear to be a complex subject, ProvePrivacy helps to guide the Data Champion in understanding what safeguards can be applied through it’s dynamic activity workflows.
