Network Trace
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

01) Which countries do you store personal data in, or transfer personal data to?

August 30, 2022
Data Protection Officer

Please list all countries where personal data controlled or processed by you resides or is transferred to or through. This includes the location of your head office and data centres, as well as locations of sub-processors. For each country listed, please describe what data is stored or transferred and under what circumstances.

Awareness of the location of personal data is important when assuring compliance with nation and state data protection and privacy laws around the globe. Today, there are more than 120 countries already engaged in some form of international privacy laws for data protection to ensure that citizens and their data are offered more rigorous protections and controls. These laws and regulations are constantly evolving.

Organisations need to ensure that they are complying not only with their local national laws, but also the legal requirements of the nation from where personal information originates.

For example, the Commission Nationale de l’Informatique et des Libertés (CNIL) acting as French Data Protection Authority provides guidance on where and to what extent different global territories comply with the requirements of the EU General Data Protection Regulation (GDPR). From this, if we click on the map it can be seen that the US ‘does not ensure an adequate level of data protection recognised by the EU’. If an organisation chooses to process French citizen personal data using a sub-processor in the US (for example using Salesforce or Hubspot hosted in the US), that organisation must apply sufficient controls through contract clauses, administrative and technical controls to ensure that data processing is at least equivalent to the privacy and protection requirements of GDPR.

How to implement the control

You must ensure that for each case where personal data is processed, transferred or stored that you are aware of the locations involved.

If required, a third party data protection consultancy can review your organisation’s data processing activities and verify the locations and activities involved.

If you would like to contribute to this article or provide feedback, please email Contributors will be recognised on our contributors page.

Pattern Trapezoid Mesh

Defend against supply chain attacks with Defend-As-One.

No organisation is an island.