Beyond World Wide Privacy Regulations

Location data complying with the GDPR

What do we mean by location data?

It is information about the specific geographic location of a particular device, in which data about any information related to an identified or unidentified natural person is stored.

So let's clarify what the GDPR regulation on storing personal data says, e.g. phone number, credit card, account details, number plate, appearance, customer number?

The following text reads: "It is important to consider the content of the data. Information that identifies a person, even without a name attached, may be personal information if you are processing it to learn something about that person or if processing this information will have an impact on that person. Records that contain information that is clearly about a specific individual are considered to be "related to" that individual, such as their medical history or criminal record. Records that have information describing an individual's activities may also qualify, such as a bank statement. Any data that relates to an identifiable individual is personal data. Data that is used to learn or make decisions about an individual is also personal data. Records on electricity and water usage would be considered personal data, as this information is used to determine how much to charge an individual.

Also information that, when processed, could have an impact on an individual, even if that was not its primary purpose, is also considered personal information. For example, private transport companies track their drivers so that they can find the nearest available car to assign to a request. However, this data could also be used to monitor whether drivers follow traffic rules and to measure their productivity rate." Source: https://gdpr.eu/eu-gdpr-personal-data/

We must also take into account the storing data in cookies, as they are storing user information, whether technical or specific, to third parties with or without consent; they are governed by GDPR regulations, falling headlong into the consent mode banners (link) systems that we have already discussed in previous posts.

What to do to comply with GDPR requirements in terms of data storage?

According to GDPR regulations, data can only be processed with the authority of the network, service or value-added service provider. In addition, that information must be anonymised or you must have consent to use it. That consent must be freely given, it must be specific and it must be informed. This means that the person from whom data is being collected must have had to take positive steps to consent to its collection.

As we have discussed in another post, the General Data Protection Regulation, or GDPR, created an EU framework for privacy and the management of citizens' data. The characteristics of this regulation implied, at the time of its application, that consumers had more control over their data and that brands and companies had to be much more transparent about how they managed information.

Well, knowing what data can be and that it is housed on a device, (let's call it that for the moment), in a specific physical location, the question is:

What do the regulations tell us about the storage location?

If the data storage is about users browsing within the EU, the regulation is clear, does GDPR require data to be stored in EU. The law is clear that companies must rely on providers with data centres in Europe.

It is explicit and clear about storing data, and the legal requirements for storing data.

Let us elaborate on this statement:

We know that information collected from users is uploaded to the cloud, and that information is stored somewhere. We therefore take into account that this "cloud" is a tangible place after all, and conclude that the servers that provide this service are hosted in physical locations. 

Well, knowing then that behind the storage there are physical servers located in geographical spaces, their location is crucial; based on the European data protection regulation as mentioned above, such storage servers must be hosted in the EU. 

Now, one more question remains for those companies that work with EU user data, but store it outside the EU.

What does the GDPR regulation on storing data outside EU tell us?

"Companies that are not based within the EU and that process data of EU citizens must appoint a representative in the EU."

When personal data is transferred outside the EU, the protection offered by the GDPR will accompany the data. This means that if the data is exported abroad, the company must ensure that one of the following conditions is met:

• The data protection of the non-EU country is considered adequate.
• The company takes the necessary measures to provide adequate safeguards, such as the inclusion of specific clauses in the contract concluded with the non-EU importer of the personal data.
• The company relies on specific grounds for the transfer (exceptions), such as the consent of the data subject."

Source: https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_es.htm#shortcut-6

In short, the protection offered by the General Data Protection Regulation (GDPR) travels with the data, meaning that the rules protecting personal data continue to apply regardless of where the data arrives.

And finally, in October 2022 the EU and the US appear to have reached a data transfer agreement, whereby companies will be able to store their personal data on servers located in the US without violating the rules.

Seal Metrics tell you that our servers are located in the EU.

Trusted by EU Marketers