Skip to content


The GDPR requires that when a “controller or processor … transfer[s] … data to a third country” that is not considered to have data protection laws analogous to those within the European Union, it utilizes an adequacy measures.[1] In situations where an individual within the European Union is initiating the transfer to a company located outside of the European Union, the receiving entity is not “transferring” the data out of the EU, as it never exercised control over the data within the EU. Put differently, in such cases “there is no controller or processor sending or making the data available” and, as a result, the receiving entity is not required to utilize an adequacy measure.[2] For example, if the individual transmitting the information does so in order to make a personal transaction or purchase (e.g., a purchase from a U.S. eCommerce website), their actions are exempt from the application of the GDPR.[3]

Companies that are located in the United States and often receive data directly from data subjects in the European Union may want to make sure (if it is not obvious) that the data subject knows that he or she is transmitting information to the United States and consider asking the data subject to consent to the transfer.[4]

[1] GDPR, Article 46(1).

[2] EDPB, Guidelines 05/2021 on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR, adopted on 18 Nov. 2021, at para. 12.

[3] GDPR, Article 2(c) (stating that the GDPR does not apply to the processing by a natural person in the course of a personal or family activity).

[4] GDPR, Article 49(1)(a).  If consent is obtained, a company could also argue that the transfer is permitted under the exception to the prohibition on cross-border transfers where a “data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks . . . due to the absence of an adequacy decision and appropriate safeguards.”  GDPR, Article 49(1)(a).