Select Page
Retarus Press Release

Five tips for ensuring GDPR compliance

Despite increased fines and “Privacy Shield” being invalidated by CJEU, only one out of five companies is currently in full compliance with the EU’s stringent data protection regulations

Reading, 11/02/2021 // Internationally active companies would be well advised to urgently check the state of their data protection and make certain that the digitalization of their communication processes also ensures compliance with the GDPR. Cloud service provider Retarus, which for decades has been supporting companies to process their communication data in compliance with the law, points out the key factors which need to be considered.

According to a recent report published by international law firm DLA Piper, the cumulative value of fines imposed for infringements of the EU’s General Data Protection Regulation (GDPR) rose by a mammoth 40 percent across Europe over the past year. Since the GDPR came into effect in May 2018, a total of 281,000 data breach notifications have been reported across Europe. Fines for infringing on the regulations range up to 20 million euros or four percent of global turnover. In Germany alone, fines amounting to 69.1 million euros have already been imposed. Even so, Germany’s digital association Bitkom found that only 20 percent of companies surveyed in Germany – Europe’s largest economy – have fully implemented the GDPR.

Retarus GDPR Overview

​One reason for this is the ongoing legal uncertainty surrounding it. The European Court’s (CJEU) ruling on the Privacy Shield adds confusion to the matter.

In the following list, Retarus has compiled some useful GDPR Tips to provide some clarity, especially for companies that are transferring personal data across the EU’s borders:

1. Clarify what personal data is being transmitted

Personal data comprises all manner of information on an identified or identifiable natural person such as name, location, online identifiers (e.g. IP addresses), as well as facts relating to physical, psychological, economic, or social identity. This even includes fax numbers and email addresses. Personal data is transferred when corresponding via email, fax, or SMS. Consequently, companies need to clarify which data they possess or gather, where it is stored, who processes the data, to where it is transferred, and whether the data is processed in compliance with the new legal framework.

2. Check if the company is making use of IT services provided by US companies

If companies are using IT services provided by US enterprises such as huge hyperscalers, they need to check very carefully whether their data exports meet the requirements of the GDPR, such as email security and archiving.

3. Review partners previously protected by the Privacy Shield

In July 2020, the European Court (CJEU) declared “Privacy Shield” – the data protection agreement between the EU and the USA – invalid and with immediate effect. The decision was based on the grounds that EU citizens and companies were not granted sufficient protection from American authorities accessing their data.

Companies are advised to check whether they are working with any companies that were previously covered by the “Privacy Shield”. Feel free to use the website for the Privacy Shield framework as a resource. Should this be the case, companies urgently need to clarify whether they are compliant with the GDPR. If in doubt, companies could request the service provider to issue a document confirming that data is not transferred to the USA at any point for processing, nor passed on to service providers in the USA, and that all data is processed exclusively in the EU.

4. Check SCCs and BCR carefully and complement if necessary

According to the European Data Protection Board (EDPB), it is also not necessarily permissible to simply use Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCR) as the legal basis for exporting data to the USA. This assessment also applies for the corresponding agreements involving countries such as China or Russia. The EDPB therefore advises companies that it is necessary to take “additional measures” to completely rule out the US intelligence services’ right to access personal data, a key issue which has been criticized by CJEU. Thus far, only preliminary recommendations for ensuring compliance have been issued by the EDPB. In addition, companies are permitted to continue transferring data to the USA in accordance with the special provisions for specific situations outlined in Art. 49 GDPR, as long as the conditions outlined in the regulation have been fulfilled. As an example, this may require an explicit declaration of consent from the person concerned.

5. Select a suitable, qualified cloud service provider

With the right cloud service provider on board, companies benefit from high-performance communication processes that are secure and flexible across all of their locations. At the same time, data protection in accordance with the GDPR should no longer be an obstacle when selecting potential cloud services, especially after the company has already paid attention to ensuring that all providers meet their data protection and security requirements. In the best case, the provider can guarantee local data processing within the EU, ensure that processing takes place in its own data centers (even during failover or maintenance activities), and steer clear of US-based hyperscalers.

For companies who would like to quickly check whether they are on the safe side with respect to data protection, Retarus has put together “7 Questions you should ask now”. The Munich-based business communication experts have also made a questionnaire available, free to download, which allows companies to easily check whether an IT service provider ensures data protection in accordance with the GDPR.

About Retarus

Retarus is a global provider of cloud solutions, modernizing and securing the digital communications and data exchange of organizations and public authorities. Key products are digital Cloud Fax, SMS, Transactional Email, Email Security, Supply Chain Integration, and Intelligent Document Processing. Retarus operates globally distributed data centers, providing these solutions with top performance, security, and data protection. Headquartered in Munich and founded in 1992, Retarus is privately owned and proud of its innovative strength. The company employs around 500 people in 20 locations on four continents. Nearly half of the companies listed in the S&P Global 100 already place their trust in Retarus and, along with leading analysts, confirm the outstanding quality and reliability of its services. Retarus generates around 40 percent of its revenue in the US and offers its products both directly and in close cooperation with selected partners. More information:

Press Contact Form

  • Hidden
  • Hidden
  • This field is for validation purposes and should be left unchanged.

Press Center

Visit our Press Center to see all Press Releases.

Share this:


Pictures // 500 KB
The materials provided at this Web site are for use solely by the news media in articles or other news reports. You do not obtain any ownership right, title, or other interest in Retarus trademarks or copyrights by downloading, copying, or otherwise using these materials.

Always up-to-date

Retarus provides the latest news, information about events as well as reports on first-hand experiences from our customers and business innovators. Sign up for your free newsletter subscription now.

Contact for journalists

retarus (UK) Ltd.
Media Relations
Reading Bridge House
Reading RG1 8LS
United Kingdom
+44 207 1730370
+44 20 392099-00