Since the Privacy Shield was invalidated by the European Court of Justice on July 16, 2020, there is uncertainty in the market about the consequences of this.
Many organizations need to be able to transfer personal data to the United States, for example if a subcontractor or partner is located there. The regulations for transferring personal data to third countries under the GDPR are very strict. Transit can only take place if the EU has approved that the recipient destination meets the same or better level of protection as the EU, or that Standard Contractual Clauses can be invoked. To assess whether such a transfer based on standard contractual clauses is lawful, an assessment of the legal system of the country to which the personal data is transferred is required. That is, whether, for example, the standard contractual clauses provide sufficient protection for the data subjects’ personal data. This is something that few, if any, companies and organizations in the world are able to assess. We now recommend that anyone transferring personal data to the US under the Privacy Shield takes steps to ensure compliance with the GDPR.
Ask yourselves the following questions:
- Do we have data flows to US-owned cloud services containing personal data?
- Can we check our suppliers that our data is stored correctly once the Privacy Shield is invalidated? Check also subcontractors.
- Should we review our privacy policies and remove references to the Privacy Shield?
- Will this affect our data processing agreements? Ensure that transfers to the US are not based on the Privacy Shield.
- Ensure that your GDPR registers containing references to the Privacy Shield are updated. You are obliged under the GDPR to keep these up to date.
- Are we clear on how to respond to our customers, students, partners, etc. who have questions about the Privacy Shield invalidation?
We at Storegate offer 30 min free consultation. We are more than happy to talk about how Storegate’s services can help you comply with the GDPR and handle the invalidation of the Privacy Shield correctly.
Email info@storegate.com to book your meeting.
