Sélectionner une page
Retarus Press Release

Five tips for ensuring GDPR compliance

Despite increased fines and “Privacy Shield” being invalidated by CJEU, only one out of five companies is currently in full compliance with the EU’s stringent data protection regulations

Paris, 11.02.2021 // Internationally active companies would be well advised to urgently check the state of their data protection and make certain that the digitalization of their communication processes also ensures compliance with the GDPR. Cloud service provider Retarus, which for decades has been supporting companies to process their communication data in compliance with the law, points out the key factors which need to be considered.

According to a recent report published by international law firm DLA Piper, the cumulative value of fines imposed for infringements of the EU’s General Data Protection Regulation (GDPR) rose by a mammoth 40 percent across Europe over the past year. Since the GDPR came into effect in May 2018, a total of 281,000 data breach notifications have been reported across Europe. Fines for infringing on the regulations range up to 20 million euros or four percent of global turnover. In Germany alone, fines amounting to 69.1 million euros have already been imposed. Even so, Germany’s digital association Bitkom found that only 20 percent of companies surveyed in Germany – Europe’s largest economy – have fully implemented the GDPR.

Retarus GDPR Overview

​One reason for this is the ongoing legal uncertainty surrounding it. The European Court’s (CJEU) ruling on the Privacy Shield adds confusion to the matter.

In the following list, Retarus has compiled some useful GDPR Tips to provide some clarity, especially for companies that are transferring personal data across the EU’s borders:

1. Clarify what personal data is being transmitted

Personal data comprises all manner of information on an identified or identifiable natural person such as name, location, online identifiers (e.g. IP addresses), as well as facts relating to physical, psychological, economic, or social identity. This even includes fax numbers and email addresses. Personal data is transferred when corresponding via email, fax, or SMS. Consequently, companies need to clarify which data they possess or gather, where it is stored, who processes the data, to where it is transferred, and whether the data is processed in compliance with the new legal framework.

2. Check if the company is making use of IT services provided by US companies

If companies are using IT services provided by US enterprises such as huge hyperscalers, they need to check very carefully whether their data exports meet the requirements of the GDPR, such as email security and archiving.

3. Review partners previously protected by the Privacy Shield

In July 2020, the European Court (CJEU) declared “Privacy Shield” – the data protection agreement between the EU and the USA – invalid and with immediate effect. The decision was based on the grounds that EU citizens and companies were not granted sufficient protection from American authorities accessing their data.

Companies are advised to check whether they are working with any companies that were previously covered by the “Privacy Shield”. Feel free to use the website for the Privacy Shield framework as a resource. Should this be the case, companies urgently need to clarify whether they are compliant with the GDPR. If in doubt, companies could request the service provider to issue a document confirming that data is not transferred to the USA at any point for processing, nor passed on to service providers in the USA, and that all data is processed exclusively in the EU.

4. Check SCCs and BCR carefully and complement if necessary

According to the European Data Protection Board (EDPB), it is also not necessarily permissible to simply use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCR) as the legal basis for exporting data to the USA. This assessment also applies for the corresponding agreements involving countries such as China or Russia. The EDPB therefore advises companies that it is necessary to take “additional measures” to completely rule out the US intelligence services’ right to access personal data, a key issue which has been criticized by CJEU. Thus far, only preliminary recommendations for ensuring compliance have been issued by the EDPB. In addition, companies are permitted to continue transferring data to the USA in accordance with the special provisions for specific situations outlined in Art. 49 GDPR, as long as the conditions outlined in the regulation have been fulfilled. As an example, this may require an explicit declaration of consent from the person concerned.

5. Select a suitable, qualified cloud service provider

With the right cloud service provider on board, companies benefit from high-performance communication processes that are secure and flexible across all of their locations. At the same time, data protection in accordance with the GDPR should no longer be an obstacle when selecting potential cloud services, especially after the company has already paid attention to ensuring that all providers meet their data protection and security requirements. In the best case, the provider can guarantee local data processing within the EU, ensure that processing takes place in its own data centers (even during failover or maintenance activities), and steer clear of US-based hyperscalers.

For companies who would like to quickly check whether they are on the safe side with respect to data protection, Retarus has put together “7 Questions you should ask now”. The Munich-based business communication experts have also made a questionnaire available, free to download, which allows companies to easily check whether an IT service provider ensures data protection in accordance with the GDPR.

A propos de Retarus

Grâce à l’excellence de ses solutions et de ses services, à son infrastructure intelligente et à ses technologies brevetées « Made in Germany », Retarus tient les rênes de la communication dans les entreprises du monde entier. Ses technologies de pointe, ses centres de données à haute disponibilité et sa plateforme innovante de Cloud Messaging permettent à Retarus de fournir à ces entreprises sécurité maximale, performances accrues et continuité des services. Fort de son expérience dans la gestion des flux d’informations de niveau grande entreprise, Retarus veille à ce que toutes les informations arrivent de manière sûre et fiable au bon moment, au bon endroit et dans le bon format, et ce depuis 1992, avec 15 agences sur quatre continents. 75 % des entreprises du DAX 30, la moitié des entreprises de l’EURO STOXX 50 ainsi que 25 % des entreprises du S&P 100 font confiance aux services de Retarus. Parmi ses clients les plus fidèles figurent Adidas, Bayer, BNP Paribas, Bosch, Continental, DHL, DZ BANK, Fujitsu, Goldman Sachs, Honda, Interflora, Linde, PSA, Puma, Sixt, T-Systems, Sony, Europ Assistance et Photobox.

Press Contact Form



Pictures // 500 KB
Notre matériel visuel, audiovisuel et photographique est gracieusement mis à votre disposition, sans restrictions, à des fins éditoriales. Qu'il s'agisse de Presse écrite, en ligne, nationale ou internationale.

Restez informé

Vous souhaitez être régulièrement informé des nouveautés de Retarus ? Aucun problème ! Avec nos newsletters vous êtes toujours au courant.

Retarus Presse

retarus (France) SAS
Département Presse
103 Rue de Grenelle
75007 Paris
+33 1 871663 00
+33 1 871663 10