Some of our Hanco clients have indicated to us that their data must be stored in a particular location

This is a normal concern.   In some cases, clients have asked that their data be stored in servers in their home country, as they believe this will in some way assist in compliance with GDPR. 

Be reassured: As a processor of data, we often encounter a discussion about where the data is resident, and our Hanco clients often seem certain that their data must be stored in a given country. But the truth is, it is difficult for most clients to get the right answer to this legal requirement.

To understand the obligations and requirements surrounding data storage, you first need to understand the difference in concepts between “data residency” and “data localization.”

What Are Data Residency and Data Localization?

Data residency is when an organization specifies that their data must be stored in a geographical location of their choice, usually for regulatory, tax or policy reasons.

By contrast, data localization is when a law requires that data created within a certain territory stays within that territory.

People arguing that data must be stored in a certain location are usually pursuing at least one of the following three objectives:

• To allow data protection authorities to exert more control over data retention and thereby have greater control over compliance.
• In the EU, it is seen as means to encourage data controllers to store and process data within the EU or within those countries deemed to have the same level of data protection as in the EU, as opposed to moving data to those territories considered to have less than “adequate” data protection regimes. The EU has issued only 13 adequacy decisions: for Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland, US (Privacy Shield only) and Uruguay.
• Finally, it is seen by some as a tool to strengthen the market position of local data centre providers by forcing data to be stored in-country.

However, it is important to note that accessing personal data is considered a “transfer” under data protection law—so even if data is stored in the United Kingdom (for example), if our Hanco security management staff in India access the data for maintenance customer service or support purposes, it has now “moved” out of the UK. Therefore, you cannot claim “residency” in the United Kingdom since there has been access – with appropriate transfer tools and safeguards of course -- by our support function outside of the UK. 

Additionally, payment processing functions for many of our websites often occur in other countries, so this is another consideration when crafting your own corporate GDPR compliance.   We find that this is an important point that is often missed or misunderstood by our Hanco clients.

Having understood the concept of data residency and data localization, the next question is, are there data residency or localization requirements under GDPR?

In short: No. GDPR does not introduce and does not include any data residency or localization obligations. There were also no data residency or localization obligations under the GDPR’s predecessor, the Data Protection Directive (95/46/EC). In fact, both the Directive and the GDPR establish methods for transferring data outside the EU.

Having said that, it is important to note that local law may impose certain requirements on the location of the data storage (e.g., Romania’s data localization law, as a member of the EEA and EU is GDPR compliant, whereas other countries all have their own particular requirements).

So, if there is no data residency or localization requirement under GDPR, can we transfer the data to other locations?

The GDPR substantially repeats the requirements of the Data Protection Directive, which states that you need to have legal transfer means if you move data outside of the EU into a jurisdiction with inappropriate safeguards (see map here). The legal transfer means are:

• Adequacy— A decision by the EU Commission that a country has adequate protection level;
• Binding Corporate Rules— Binding internal rules of a company to be approved by data protection authorities;
• Standard Contractual Clauses / Model Clauses—Individually negotiated contracts between controller and processor
• Privacy Shield— For US companies only; this is a replacement self-certification program for the Safe Harbor.

I have heard that Privacy Shield and Standard Contractual Clauses are under serious scrutiny? What is this all about?

This mostly affects us and our clients with payment processing services (such as Stripe, PayPal etc), although it is possible that some of our client accounts use plug-ins or components where personal data can be shared with US-based firms (Google Gmail being used with the MX records forwarded via Hanco to there, as an example). 

Following the European Court of Justice decision that the EU-US Safe Harbor arrangement does not provide adequate protection for the personal data of EU data subjects, the EU and US entered into a new arrangement to enable the transfer of data (the Privacy Shield). However, a number of non-governmental organizations and privacy advocates have started legal action to seek decisions that the Privacy Shield and the EU Standard Contractual Clauses do not provide sufficient protection of data subjects’ personal data.

I have heard that the Standard Contractual Clauses/Model Clauses might be updated.  What is that all about? 

In order to protect data being transferred outside of the European Union, the Union issued three Standard Contractual Clause templates (for controller to controller transfers and for controller to processor transfers). These have not been updated since they were first introduced in 2001, 2004 and 2010, respectively.

However, the European Union’s consumer commissioner, under whom privacy falls, has indicated that the EU is working on an updated version of the Standard Contractual Clauses. It remains to be seen how the Clauses will be modernized and whether the shortcomings, concerns and gripes of existing Standard Contractual Clauses will be addressed to the satisfaction of all parties.

One thing is for certain, however—the data protection space will only get more attention from here on out, and those of us working in this space will have to become more accustomed to complexities such as those surrounding Data Residency.

This Hanco knowledgebase article is for information purposes only and does not constitute legal advice, contractual commitment, or advice on how to meet the requirements of any applicable law or achieve operational privacy and security. It is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of applicable privacy laws, or any other law, or advice on the extent to which Hanco Global Europa SRL services can assist you to achieve compliance with privacy laws or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication and is governed by Romanian and EU Law.