The Privacy Shield
is History

There are also risks posed by the CLOUD Act (Clarifying Lawful Overseas Use of Data), which allows US authorities to access data from US companies and their subsidiaries, even if it is saved or processed outside the US.

As an IT manager, you are directly responsible for your customers’, employees’, and business partners’ data, even if you outsource data processing. Penalties for violations equal up to 20 million euros or 4% of your global revenue – an entirely new magnitude. The authorities can also stop unlawful data transfer. Managers can be held personally liable and D&O insurances have their limits.

What measures do you need to take? No final recommendations from the EDPB (European Data Protection Board) or the EU Commission have been made so far. We’d therefore like to provide you with this guide which includes the most important information. Here are the 7 questions you should ask:

Personal data is any information relating to natural persons identified or identifiable: name, location, online identifiers (e.g. IP addresses), and facts relating to the physical, mental, economic, or social identity of natural persons, including fax numbers and email addresses. Personal data is transferred, for example, in correspondence via email, fax, or text messages.

This means you must clarify the following: What data do you own or are you collecting? Where is it saved? Who processes it and to where is it transferred? And do you have the legal basis for all of this?

Possible candidates are Google, Facebook, Twilio, Zoom, Slack, Proofpoint, Dropbox, Microsoft, and LinkedIn. If you use these, you should carefully examine whether your data export complies with GDPR regulations, for example in regards to email security and archiving.

On the Privacy Shield Framework website you will find a list of all these companies.

The EU-US Privacy Shield is no longer valid and there is no grace period. If you are currently working with one of these companies, you should immediately verify if these companies comply with GDPR regulations. When in doubt, you should ask for a statement confirming that at no time during data processing will data be transferred to the USA or service providers in the USA.

According to the EDPB declaration of July 24, 2020, US legislation does not guarantee equivalent protection with respect to SCCs (standard contractual clauses) and BCRs (binding corporate rules). This assessment also applies to corresponding agreements with countries such as China or Russia.

Individual SCC and BCR agreements with each US provider require a high degree of administrative and legal involvement. Furthermore, additional measures are required. However, as of November 2020, there are only preliminary implementation recommendations from the EDPB. Risks posed by the CLOUD Act still remain even if SCCs and BCRs are used.

Generally speaking, yes, if the requirements are fulfilled. However, the hurdles are high. Individuals must give informed, specific, and explicit consent.

Wording of Art. 49 GDPR

Make the switch to Retarus’ innovative platform services now and bring your risk factor for data protection to zero. We process all European customer data exclusively in our European data centers – in Frankfurt, Munich, and Zurich. We ensure inner-European processing even during failover or maintenance. Retarus does not use US hyperscalers like Google, AWS, or Azure. Retarus is headquartered in Germany and has been family-owned since its founding, with no foreign companies as stakeholders.

If needed, you can migrate your email, SMS, and fax traffic to Retarus’ Enterprise Cloud within as little as 24 hours. Get a quick overview of our services and learn how we support you in implementing compliance requirements.

The current data protection situation appears to be unclear and complicated. However, we should not forget that all of this change brings many positives: your sensitive business data will be better protected because GDPR is a top priority of Retarus.