I’ll have a go at this one, then.

 

You are processing data in the context of activities of a controller based in the Union (for now), and so the processing of data about these students is subject to GDPR.  I do struggle with this one, though, because the loans were presumably offered to US citizens whilst they were in the US, so while their processing isn’t subject to GDPR (despite the subjects later being physically located in the Union), I’m not 100% certain about yours.

 

I think you need a lawful transfer mechanism, based on the fundamental principle that Article 8 Charter rights apply to ‘everyone’, regardless of citizenship.

 

Dan

 

From: This list is for those interested in Data Protection issues [mailto:[log in to unmask]] On Behalf Of Liam Wilkinson
Sent: 16 October 2019 10:02
To: [log in to unmask]
Subject: [data-protection] US Loans Data Agreement

 

Hi all,

 

A question about data sharing agreements and US governmental bodies.

 

We have submitted a controller-controller data sharing agreement to Federal Student Aid (US Department of Education) in order to share student data for purposes of processing US loans.  We are considering this our appropriate safeguard, as set out in Article 46, but have received the following response from Federal Student Aid:

 

“Thank you for sharing this with us.  The Department of Education is part of the United States Government and, as such, is not bound by the laws and regulations of the EU.  We will not be signing the agreement.”

 

We were under the impression that US government bodies still had to comply with GDPR if they were handling the data of those currently residing in the EEA.

 

Is anyone willing to share with me how their University has dealt with this when sharing personal data of their American students?

 

Best wishes

 

Liam Wilkinson | Information Governance Assistant | University Secretary’s Office

York St John University | Tel: 01904 876467 | Email: [log in to unmask]

 

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)

The information in this email (and any attachment) may be for the intended recipient only. If you know you are not the intended recipient, please do not use or disclose the information in any way and please delete this email (and any attachment) from your system.

The Council does not accept service of legal documents by e-mail.

 

All archives of messages are stored permanently and are available to the world wide web community at large at http://www.jiscmail.ac.uk/lists/data-protection.html

Selected commands (the command has been filled in below in the body of the email if you are receiving emails in HTML format):

All user commands can be found at https://www.jiscmail.ac.uk/help/subscribers/subscribercommands.html and are sent in the body of an otherwise blank email to [log in to unmask]

Any queries about sending or receiving messages please send to the list owner [log in to unmask]

(Please send all commands to [log in to unmask] not the list or the moderators, and all requests for technical help to [log in to unmask], the general office helpline)