How Will Schrems II Affect Your Company?

Data Protection

On July 16, 2020, the EU Court of Justice (CJEU) delivered a ruling in the so-called Schrems II case which came to lead the way when it comes to transferring personal data between the EU and the US.

According to the CJEU, US law cannot ensure the protection of EU personal data in the way that the European General Data Protection Regulation (GDPR) requires.

Brief recap of the GDPR

The GDPR was enforced by the EU in 2018 to protect EU citizens and their personal data. The GDPR applies to all companies and organizations in and outside the EU that process personal data from EU citizens. An example of processing data is using cookies, Google Analytics, and other tracking technologies on your website. In this case, the GDPR requires websites to obtain consent from their users before processing any personal data from them. 

In the Schrems II case, the CJEU struck down the Privacy Shield, which was designed to provide companies on both sides of the Atlantic with a way of complying with data protection requirements when it comes to transferring personal data from the European Union and Switzerland to the United States in terms of transatlantic commerce.

Thereby, the CJEU marked the US as a non-adequate country without any special access to the personal data streams of Europe. On the contrary, the CJEU validated the Standard Contractual Clauses (SCCs), which make it possible to transfer data between the parties who have signed the agreement.

Also Read: Differences between GDPR, Cyber Essentials, IASME, and ISO 27001

The SCCs make transatlantic data transfer possible after all

Because the CJEU validated the SCCs, transatlantic data transfer is still possible while at the same time ensuring compliance with the GDPR.

However, the Schrems II case stresses how important it is for data controllers to make sure that the transfer of personal data to and from the EU comply with the GDPR.

How to comply with the GDPR when transferring data outside the EU

But how can you as a company or organization make sure to comply with the GDPR when transferring data outside the EU?

The European Data Protection Board (EDPB) has made some recommendations to make sure you transfer data outside of the EU in compliance with the GDPR. The following brief recap of the recommendations focuses on the use of cookies and processing of personal data from your end-users.

Be aware of:

  1. Where in the world does your website send the data of your end-user to?
  2. Which transfer mechanism do you use to send data?
  3. What are the rules for data protection in the country to which you send the data?
  4. If you send data to a country with different rules for data protection, how can you then ensure additional security around your data transfers so that they meet the standards of equivalence?
  5. Finally, the EDPB recommends that you document your data transfer practices and the way in which you have ensured adequate protection for your website’s end-users.

1 comment

Ecotonic Solar Pvt Ltd June 8, 2021 at 1:01 pm

Thank You For The Info


Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More