7 questions you should ask now
On July 16, 2020, the European Court revoked the EU US Privacy Shield. Why? EU citizens and companies are not sufficiently protected from American authorities accessing data.
in case of violations
As an IT manager, you are directly responsible for your customers’, employees’, and business partners’ data, even if you outsource data processing. Penalties for violations equal up to 20 million euros or 4% of your global revenue – an entirely new magnitude. The authorities can also stop unlawful data transfer. Managers can be held personally liable and D&O insurances have their limits.
What measures do you need to take? No final recommendations from the EDPB (European Data Protection Board) or the EU Commission have been made so far. We’d therefore like to provide you with this guide which includes the most important information. Here are the 7 questions you should ask:
Fax numbers &
are personal data
1) How do I currently transfer personal data?
This means you must clarify the following: What data do you own or are you collecting? Where is it saved? Who processes it and to where is it transferred? And do you have the legal basis for all of this?
Caution in regards to
2) Do I use IT services provided by US-American companies?
There is no
3) Do I work with companies previously covered by the Privacy Shield?
The EU-US Privacy Shield is no longer valid and there is no grace period. If you are currently working with one of these companies, you should immediately verify if these companies comply with GDPR regulations. When in doubt, you should ask for a statement confirming that at no time during data processing will data be transferred to the USA or service providers in the USA.
protection with respect
to SCCs and BCRs
4) Can I replace Privacy Shield with SCCs or BCRs?
Individual SCC and BCR agreements with each US provider require a high degree of administrative and legal involvement. Furthermore, additional measures are required. However, as of November 2020, there are only preliminary implementation recommendations from the EDPB. Risks posed by the CLOUD Act still remain even if SCCs and BCRs are used.
in case of individual consents
5) Am I allowed to continue transferring data to the USA according to the special provisions in Article 49 of the GDPR?
Wording of Art. 49 GDPR
Review of the level of
7) What should I do if I am searching for a GDPR-compliant solution for my corporate communication?
If needed, you can migrate your email, SMS, and fax traffic to Retarus’ Enterprise Cloud within as little as 24 hours. Get a quick overview of our services and learn how we support you in implementing compliance requirements.
Questions? Contact us!
Please note that this site is only for non-binding informational purposes and does not provide legal advice in the actual sense of the word. The content of this site cannot and should not replace individual, binding legal advice that takes your specific situation into consideration. In this respect, no liability can be assumed for the correctness, completeness, and accuracy of the statements.