With that philosophy in mind of meeting the highest bar we could, Box underwent the lengthy Binding Corporate Rules (BCRs) approval process by the EU data protection authorities (DPAs), who focus on the organizational and technical measures the applicant has put in place to safeguard the personal data transfers of its customers and their clients. After the arduous review process, Box received approval for its Global Processor and Controller BCRs enabling us to transfer personal data outside of the European Economic Area (EEA), in accordance with the European data protection regulations.
It was no surprise that the high bar for data privacy accepted the high bar for data transfer. The GDPR recognizes these BCRs as valid mechanisms for the transfer of person data from the EEA, including from the EU member states, to the United States.
So when the GDPR comes into effect in May of 2018, an organization is well-positioned to address GDPR for protecting EU personal data that is processed by Box.