A multinational company operating in the EU uses a cloud service provider based in the US to process personal data of EU data subjects. The company is considered a data controller under the GDPR. Which of the following must the company ensure is in place to lawfully transfer personal data from the EU to the US?
Trap 1: A binding corporate rule approved by the US Department of Commerce
BCRs are for intra-group transfers and approved by EU DPAs, not the US Department of Commerce.
Trap 2: An adequacy decision by the US Federal Trade Commission
Adequacy decisions are made by the European Commission, not the FTC.
Trap 3: A data processing agreement solely between the cloud provider and…
Data processing agreements are between controller and processor, not with data subjects.
- A
A binding corporate rule approved by the US Department of Commerce
Why wrong: BCRs are for intra-group transfers and approved by EU DPAs, not the US Department of Commerce.
- B
Standard Contractual Clauses adopted by the European Commission
SCCs are a standard data transfer mechanism under GDPR for transfers to third countries.
- C
An adequacy decision by the US Federal Trade Commission
Why wrong: Adequacy decisions are made by the European Commission, not the FTC.
- D
A data processing agreement solely between the cloud provider and the data subjects
Why wrong: Data processing agreements are between controller and processor, not with data subjects.