0

I'm a bit lost in here and need some direction.

According to the EU GDPR, the PII data should never leave the EU. But, Can they be taken out and processed outside? such as in a server that is situated in the US and put the data back again in the EU?

Is this something people do or is the process I mentioned above acceptable?

I'm sure that it's always the best way to keep everything in the EU, but due to the complexity to move everything just wondering if moving just the storages in the EU would work or not.

Saikat Chakrabortty
  • 101
  • How would you process the data in the US without storing it in the US? – hft Jan 28 '21 at 04:23
  • @hft e.g I would be pulling the data from an EU datacenter to a VM situated in the US, then process it inside VM, and once done push it back to the EU and discard it from the VM. – Saikat Chakrabortty Jan 28 '21 at 04:37
  • The data would be stored in memory (RAM, registers) of the US machine. – hft Jan 28 '21 at 05:04
  • Yeah Technically true, now it makes sense to me, that by any means it should not leave the EU. in this case. if this is true or I have understood it correctly, would you create an answer may be? appreciate that. – Saikat Chakrabortty Jan 28 '21 at 05:11
  • 1
    You can't persist the data outside of EU but I doubt if its practical for that data to not go outside of EU at all. Otherwise every company that provides service to the European customers will need to have a server in the EU. – Limit Jan 28 '21 at 06:42
  • 2
    Does this answer your question? [Does GDPR apply for volatile data](https://security.stackexchange.com/questions/230657/does-gdpr-apply-for-volatile-data) – Limit Jan 28 '21 at 06:44
  • 2
    Please note that [security.se] is more a place to highlight the technical site. For the legal aspects please check [law.se]. – Steffen Ullrich Jan 28 '21 at 06:56
  • GDPR regulates processing of personal data, and storage is just one kind of processing. If you transfer data into a non-EEA country for processing, that is still an international transfer and therefore has extra compliance obligations. Regulators only make exceptions for data that is in transit, without undergoing processing. – amon Jan 28 '21 at 07:27

0 Answers0