Enacted in May 2018, the European Union (EU) General Data Protection Regulations (GDPR) can also impact U.S. businesses. For example, I was recently asked to review "Model Contract Clauses" that my local client received from a company in the EU. The client found this request odd given that he already had a contract with the EU company. The EU company recently became subject to the GDPR, as noted by the EU company. However, my client had never given any thought to the GDPR and had no idea what to make of the Model Contract Clauses that he was being asked to sign. I proceeded to give my client a primer on the GDPR and the Model Contract Clauses.
Chapter V of the GDPR outlines the laws that govern transfers of data outside of the EU (called international transfers). The GDPR requires that data may only be transmitted outside the EU if a sufficient level of data protection exists in the recipient's territory/jurisdiction. The European Commission has determined which countries outside the EU offer an adequate level of data protection, whether as a result of the country's international commitments or its domestic legislations. Data can be transferred without additional security measures, such as the Model Contract Clauses, if a country's data protection regime has satisfied the European Commission's adequacy requirements.
Much to my client's surprise, the United States is not on the European Commission's approved list. Accordingly, companies within the EU which make international transfers to U.S. companies must take steps to ensure compliance with the GDPR before any international transfers can occur. To achieve compliance, EU companies can require U.S. companies to sign a contract or an addendum to a contract which contains the European Commission's Model Contract Clauses. The Model Contract Clauses, as in the case of the client, may appear as a Data Processing Addendum to an existing contract. According to the European Commission, the Model Contract Clauses constitute "appropriate safeguards" that permit data international transfers without being in violation of the GDPR.
As a result of our discussions about data transfers and the Model Contract Clauses, I learned that the client did not even have adequate data protection agreements with its local vendors. Fortunately, we were able to remedy that problem quickly by having all the client's vendors sign data security agreements. Whether or not your company or any of its vendors are subject to the GDPR, your company should still take adequate steps to protect its data. The impact of your company's failure to do so can be significant.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.