Blog Gdpr compliance

Since last summer’s Schrems II judgment, about which we have repeatedly reported on our blog, exporting personal data outside the EU has become quite cumbersome. In particular, the disappearance of the “Privacy Shield” between the EU and the US is causing a lot of complications and forces European companies to conclude Data Export Agreements on a large scale with non-European (usually American) partners containing so-called “Standard Contract Clauses”.  These SCC’s are model documents that are made available by the European Commission to be copy/pasted into Data Export Agreements and thus guarantee safe export at a contractual level.  

However, one of the major problems until now when concluding Data Export Agreements was that the European Commission’s SCC’s or Standard Contract Clauses were outdated. They dated from before the entry into force of the GDPR and were not adapted to that GDPR, nor to the current technological and economic reality.  

Those old SCC’s have now finally been replaced by new, fully up-to-date versions since June 6, 2021, and European entrepreneurs can now get started to conclude legally conclusive and secure Data Export Agreements with their partners outside the EU. We provide a summary below of what you need to know about these new and SCC’son our download page you will also find a downloadable copy of the new SCC’s, along with our Vendor Assessment Form that you can use to determine whether or not your foreign partners are do not receive personal data from you and whether they handle it correctly and in accordance with GDPR. This way you can work quickly, clearly and with a minimum of effort on GDPR compliance within your company. 

Data Export?

Data export is any exchange of data with a partner outside the EU. It could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside of Europe, a cloud storage service, an email service provider or just about any online service or tool you can imagine. 

GDPR only allows data export to countries outside the EU if the recipient outside the EU can guarantee an appropriate level of protection.  

A handful of countries are automatically considered to offer an appropriate level to provide protection, but for most other countries data export since the end of the EU-US Privacy Shield requires a Data Export Agreement, in which written data protection guarantees are made.

“Appropriate additional guarantees”

Since the Schrems II judgment, we know that simply signing (the old version of) the SCC’s is not sufficient in itself to ensure safe data export. As a European entrepreneur, you have the obligation to carry out a documented assessment of the risks involved for every data export and to request, if necessary, from the recipient “appropriate additional guarantees.” We have already listed several times for you in this article about Mailchimp or in this webinar on our Youtube page.

New SCC’s are “Schrems proof”

The new standard contractual clauses are not only fully customized to the text and content of the GDPR, they have also been made “Schrems proof”. That is to say, they contain many clauses that meet the requirements of the European Court of Justice to make a prior risk assessment and to demand additional guarantees where necessary as set out by the Schrems II judgement.  

Please note that this does not mean that a separate risk assessment and additional separate guarantees are no longer necessary. As an entrepreneur, you still have to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new SCC’s are in any case already provided for this obligation in terms of content, which was not the case with the old ones.

“Modular” approach

In the past, a number of “versions” of the SCC’s coexisted. Depending on the situation, you could choose one of those versions and incorporate it into an agreement, for example for data export between a European controller and a non-European processor.

That system is now replaced by one global set of SCC’s, which you can adapt to your personal situation by copying/pasting or omitting individual clauses (modules). According to the European Commission, this should lead to more ease of use, but personally, we fear that it threatens to do exactly the opposite and seriously impede the use of these model documents by non-lawyers. 

That one global version of the SCC’s now also provides for two previously missing situations for the first time: the transfer by a processor in the EU to a controller outside the EU and the transfer from a processor in the EU to another processor outside the EU. 

Replace your existing SCC’s in time, with our help at Sirius Legal!

The existing SCC’s are still valid for three months for new data exports. A grace period of 15 months applies for existing data exports, but after that all existing Standard Contract Clauses must also be replaced by the new regulations. 

Since the content of the new SCC’s has changed considerably and (there are a lot of new additional guarantees and obligations for instance), this means that as a company you will have to renegotiate a lot of those existing mode contracts or that you will at least have to carefully review the new versions before signing. 

Sirius Legal helps you with that. You can visit our website for our “Data Export Compliance” service, with which we help your company through the maze of old and new SCC’s and “additional appropriate measures”.

In any case, make sure you have a good overview of all your data exports in a spreadsheet, check with whom you do or do not have a current Data Export Agreement and ensure a timely invitation to adjust if one has already been concluded in the past or to close of a new Data Export Agreement if none had been concluded before.  

Do not forget to carry out an individual impact assessment and to properly document this. If one day there is a cyber attack or hacking at one of your suppliers and it turns out that you did not follow the rules before entrusting your data to him or her, you quickly risk being liable for the consequences of such a data breach… 

Be aware that data export is a point of attention for many governments, including our Belgian Data Protection Authority. The German authorities, for example, announced this week that they will carry out extensive checks on data exports by German companies. Those checks will primarily focus on the use of email service providers, hosting companies, tracking via cookies, application management and the exchange of customer data within groups of companies, for example based on Customer Data Platforms.

Questions about data export or GDPR in general?

We are happy to make time for you. Feel free to call or email Bart Van den Brande at bart@siriuslegal.be or +32 492 249 516 or book a free online introductory meeting with Bart via Google Meet or Zoom.

A recent decision by the Bavarian data protection authority raises serious doubts about whether the popular email marketing platform MailChimp can be used legally under the GDPR.  

By extension, the same problem arises for almost all US software applications that process personal data of EU citizens. After all, data export to the US has been a serious legal issue ever since the European Court of Justice annulled the Privacy Shield last summer and at the same time pointed out that the use of Standard Contract Clauses as an alternative is rather difficult because it requires a case-by-case examination of the need to implement additional security measures to ensure data privacy.  

It is precisely that issue of additional measures that is now highlighted by the Bavarian Mailchimp decision.

Data export?

The impact of the Schrems II ruling of the European Court of Justice last summer has had an increasing impact in Europe over the past few months. Many companies have hesitated about how to react to the ECJ’s decision last summer to overturn the EU-US Privacy Shield. After all, almost all software tools that European companies use today are American and since most of them are now cloud services or online tools, there is by definition data export to the US…

The problem only got worse by the fact that in the same effort, the ECJ also added that in the event of any data export outside the EU (also to destinations other than the US), the exporting company must also immediately take into account the fact that the Standard Contract Clauses that the European Commission itself provides to guarantee secure data export between companies and organizations within and outside the EU are not sufficient.

The Schrems II judgment requires that transfers of personal data to cloud service providers in the United States be assessed on a case-by-case basis and if there is a risk to the integrity of the data in question, additional security safeguards must be provided. These additional safeguards are almost automatically imposed on exports to the US, given the very far-reaching investigative powers of the US intelligence agencies, for example under section 702 (50 USC § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

Using Mailchimp not OK?

It sounds almost absurd, but the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) earlier this month banned a European online magazine from using Mailchimp any longer to send its newsletters.

The reason? Well, by using Mailchimp to send newsletters, companies are sending personal data (e.g. email addresses and recipient names) to Mailchimp’s servers in the United States and that is potentially not OK.

The Bavarian Data Protection Authority justified its decision by noting that the company had not previously investigated whether additional safeguards were needed for the transfer of personal data to Mailchimp, in particular because Mailchimp may be subject to the Cloud Services Act. 

Note in this context the important nuance that the Bavarian Data Protection Authority did not rule that MailChimp is per se illegal. Instead, it ruled that in this particular case, the company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that its personal data was protected from access by U.S. regulatory agencies. 

Additional guarantees?

Following the already mentioned Schrems II judgment, European companies should indeed have started a broad data export audit or “vendor assessment” within their company in order to determine if:

• there is data exchange outside the EU / EEA
• there is an appropriate legal basis in accordance with Chapter V GDPR (standard contract clauses, binding corporate rules or one of the other less common and obvious legal grounds)
• the data concerned is in any way particularly sensitive and whether the data export as such can be justified
• additional safeguards may or may not be required on the receiving end of the data flow
• More in general, whether the receiving party can guarantee all-round GDPR compliance

This exercise should obviously and based on the accountability principle under GDPR be  documented in detail and that is precisely why we at Sirius Legal have been offering since last September a free Data Export Impact Assessment form on our website. That form has now been downloaded hundreds of times by companies all over Europe, by the way.

Incidentally, the EDPB has already listed some additional measures to be taken some time ago in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of 10 November 2020. In this document, various data export scenarios are proposed and each time an indication is given on a case-by-case basis about how to ensure a secure exchange of personal data or which method is certainly not sufficiently secure.  

The recurring message in that document is the need to encrypt personal data before exporting it and to make use of proprietary (preferably European) encryption techniques prior to export and separate from the platforms’ own encryption technology.  

The use of Mailchimp also falls within this context. After all, personal data is exported to the US, where Mailchimp is considered a telecom provider under FISA legislation, which means that it potentially has to provide access to its customer data to the US government. Therefor encryption is necessary. Only… the use of Mailchimp actually does not allow such encryption from a technical point of view and as a consequence it is hard to imagine how a European company can use Mailchimp in a legally compliant matter…

Mailchimp as a wake-up call?

Until now, it seemed that the European data protection authorities had turned a blind eye for the time being and had given some kind of unofficial grace period for European companies and organizations to adapt to the changed legal situation after the Schrems II judgment. This certainly also had to do with the fact that the aforementioned Standard Contract Clauses are being reviewed and updated by the European Commission at this very moment.

However, the actions of the Bavarian Data Protection Authority now show that things are now getting serious and that companies will eventually have to ensure a secure exchange of personal data with their non-European partners. In a press release accompanying the Mailchimp decision, the Bavarian authority noted that in its view this case is an example of how the Schrems II judgment will be enforced in practice in the future. 

Is your software “data export compliant”?

The painfully problematic conclusion is that no American software application currently works completely “GDPR compliant”…

We ourselves at Sirius Legal have conducted a benchmark test in recent months on 10 of the most well-known marketing tools, including Mailchimp, Sharpspring, Hubspot, Active Campaign, Salesforce and a few others. The conclusion is that most of these – all American – providers have adapted in recent months in the sense that they no longer invoke the Privacy Shield as a legal basis, but now refer to Standard Contract Clauses, but that they also all still show several essential shortcomings in the area of data export compliance:

• In some cases, the Standard Contract Clauses are unavailable or in any event nowhere to be found on the website
• most vendors provide either no or only very general and vague “additional safeguards”
• most, if not all, providers rely on sub-processors, of which neither the identity nor the location is sufficiently clear and of which there is little or no guarantee of GDPR and data-export compliance with the sub-processor concerned.   

The same applies by extension to other non-European cloud services or online applications. It is almost by definition so that they are not (completely) GDPR compliant and that any use thereof requires a prior audit and possibly the provision of additional technical or organizational guarantees.

Can European companies no longer use American or other non-European services at all?  

Fortunately, things are not as problematic as they might seems at first sight.  Jumping to the conclusion that all non-EU software should be banned would be absurd in a globalized society and economy as weknow it today.

In the Mailchimp case, the problem was evidently clear, as the company in question apparently had not made any prior risk assessment at all to document whether additional safeguards were needed. That in itself was enough to provoke this decision.  

Future matters will probably lead to a less obvious sanction, at least if the EU companies concerned have made a well-balanced and documented prior risk analysis or even implemented additional safeguards. Which measures will be “sufficient” in which context will only become clear when there is sufficient case law available, but it is evident that the “sensitivity” of the data and the risk of access requests from abroad play a role. In that context, a mailing list for a legal weekly appears much less problematic than the membership list of a political party and in the former case a well-founded preliminary estimate may (?) be sufficient … 

However, this decision should without a doubt be seen as a warning to all companies and organizations in Europe on the importance of due diligence when transferring personal data outside the EU. As a company, it is best to get started as soon as possible with a strict and thorough internal audit exercise on the basis of which you can demonstrate that you have assessed whether or not your data can come into the hands of third parties and especially foreign governments if you use non-European applications.

If necessary, feel free to use our free Data Export Impact Assessment form to collect the necessary information from your non-European partners. 

Also, take into account that if a supplier cannot or does not want to provide information to help you properly assess the potential risks, you will have to consider whether you can continue to work together and that in the worst case you will indeed have to look out for another alternative (preferably European) partner …

Would you like to know more about the practical impact of Schrems II?

Those who want to know more can contact bart@siriuslegal.be or book an online meeting directly via Google Meet.

Or better yet, register for the Schrems II webinar of our international contact network Consulegis “The Practical Impact of Schrems II on International Data Flows”  on April 14th. Speakers from the EU (including Bart Van den Brande for Sirius Legal), the UK, the US and India will discuss all legal and practical sensitivities of international data flows and make time for all your questions and concerns. 

Every so many time yet another new social media platform pops up that, according to insiders and early adopters, is going to change the internet.  

The success of the Snapchats and TikToks in this world has two things in common: on the one hand, their success often fades just as quickly as their hype has started, and on the other – and this is something that the privacy advocate in me finds continuously disturbing- the companies behind those apps never seem to pay any real attention to your and my privacy. In some cases, the main reason for this seems to be a rather disturbing lack of knowledge and understanding of (European or other) data protection laws, but just as often the impression remains that the entire business model of social media companies is built on unbridled data collection with the aim of building user profiles and selling those as ad profiles to advertisers around the globe.

School book marketing strategies

The latest rising star in the social media firmament is Clubhouse, an audio file sharing app that you can only access and use after an invitation by one of your friends. 

In other words, it seems that the authors behind Clubhouse have used a few marketing classics to make their new product a success: creating artificial scarcity by limiting access to your product and counting on the ego of the fortunate few to fuel the hype and to have the masses eagerly await the moment when they too will be included in the inner circle. This technique has proven its success on school playgrounds around the world many years ago, as children fiercely searched for that one rare Pikachu card and even today we all fall for the same strategies…

A word about privacy and GDPR …

But Clubhouse appears to carry the same flaws as so many other success stories in the appstore of your choice. The marketing strategy is well thought through, but no one seems to have really thought about respect for your and my privacy  along the way.

It is not surprising that Clubhouse is now subject of investigations by various European privacy authorities. Both the French CNIL and the state DPA in Hamburg, the HmbBfDI, are currently investigating the way in which Alpha Exploration Co., the American company behind Clubhouse, handles personal data of its current and future users.  

In France, the investigation is the result of a petition against Clubhouse, which has now collected more than 10,000 signatures and anyone who remembers the millions of fines in France for Google and Amazon last December knows that the CNIL is not afraid to strike hard against American tech companies.

Your contact details processed without you knowing … 

One of the biggest issues with Clubhouse is that the whole story is based on a member-get-member system, where existing members upload their digital phone book and open it up to Clubhouse. Based on that phone book Clubhouse invites new users or has them invited by its users.  

In other words, even if you have not yet received an invitation today, Clubhouse has probably already processed your personal data without your permission via one of your friends or acquaintances and that in itself is very problematic.  

Just a few months ago, the Belgian GBA imposed a hefty fine on dating website Twoo in very similar circumstances, arguing that no valid legal basis under GDPR can be found for the processing of friend data. After all, your friends have not given permission to – in this case – Clubhouse to process their data, nor to you to process and share their data with Clubhouse for that purpose. Nor can Clubhouse and its users rely on a legitimate interest in this context and the processing of contact details of non-users therefore lacks a valid legal basis.  

Incidentally, the need to demonstrate sufficient legal grounds is not an administrative formality. The obligation to have a valid legal basis for any processing of personal data is one of the cornerstones of GDPR and of your and my privacy protection …

Clubhouse goes one step further when it comes to the processing of phone book data of its users. Contact data of current users are not only used to invite new members, but also to compile a database with user statistics or profiles about existing and future users. The first information from the CNIL seems to indicate that Clubhouse is selling or may potentially sell that data to third parties (advertisers). Although Clubhouse itself does write in its privacy policy that it “does not sell your personal information“, it does mention a large number of cases where it can potentially “share” your information with third parties, including for “advertising and marketing services” …

Conversations recorded without knowing it…

By the way, did you know that Clubhouse is also recording your conversations? That doesn’t have to be a problem, at least as long as Clubhouse only uses those recordings to evaluate any complaints and then permanently removes recordings from its servers. We do not know whether Clubhouse actually does that, but the previous paragraphs in this article give very little confidence.

No transparency…

The German government in particular is also stumbling over the fact that Clubhouse is not transparent at all towards users. The correct contact details of the company behind Clubhouse (“das Impressum”, as it is called under German law) are nowhere to be found clearly and the privacy policy is only available in English, where GDPR requires it to be written in a language that is understandable (for the average user). In comparison, Whatsapp already got a hefty fine in Germany in 2016 because its terms of use were not available in German. Moreover, the privacy policy is missing a lot of mandatory information, for example the retention periods of your personal data and the names of the parties with whom that data is shared…

Another point on which Clubhouse fails to offer transparency is the data collection by means of cookies and other trackers. Clubhouse itself indicates that it collects data in this way and that it shares this data with advertisers via advertising networks. However, as far as we could determine, Clubhouse does not provide a clear overview of which cookies and trackers are used, which data is collected and with whom exactly that data is shared. Moreover, again as far as we could determine, no free and informed opt-in is obtained for the use of those cookies and trackers …

Data export outside the EU

Exporting personal data outside the EU (for example by storing it on servers in the US) is only allowed under strict conditions and lacks contractual and technical security guarantees. Clubhouse, however, limits its privacy to the short statement that “By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service”.

Should you do best to stay away from Clubhouse then?

Time will tell whether Clubhouse is just another hype or a stayer in the social media landscape. The above comments do not necessarily mean that you should not work with Clubhouse. Follow the hype if you feel called to do so, there is nothing wrong with that.

But as a consumer and citizen you better be aware of what big tech companies do with your data, so that you can make conscious choices.  

In other words, be careful, inform and read carefully the terms of use and privacy policy for your Clubhouse or any other social media app you use.

Want to know more about GDPR, data protection or social media?

Do not hesitate to contact us via bart@siriuslegal.be or book a no-obligation video call with Bart via this link: https://koalendar.com/events/Meet-with-Bart-Van-den-Brande 

An upcoming judgment of the Court of Justice may have interesting consequences for companies operating in a cross-border context. In a recent opinion on the case of the Belgian Data Protection Authority (DPA) against Facebook, the Advocate General of the Court of Justice wrote that ‘the DPA of the country in which the registered office of a company is located has a general power to initiate legal proceedings against that company. The other DPAs also have this power, but only in a limited number of cases.’

Local and leading authorities

A DPA is an independent government body that, among other things, watches over our right to privacy. Each European country has at least one such authority that exercises its powers within its territory. Sometimes several DPAs can be competent, because data processing problems occur increasingly cross-borders. In that case, there is a leading DPA. This is the DPA of the country in which the registered office of the processor or controller committing the infringement is located. 

Belgium vs. Facebook

The case started about five years ago when the predecessor of the Belgian DPA took Facebook to court. The reason for this was, among other things, the use of tracking cookies. These are cookies used to follow Internet users across different websites. The court initially ruled in favor of the predecessor of the Belgian DPA, but Facebook appealed the decision. Facebook claims that the Belgian DPA does not have the authority to commence legal proceedings against it. It is of the opinion that only the DPA of the place of its registered office is competent to start legal proceedings. In this case, that would be the DPA of Ireland. 

Subsequently, the Brussels Court of Appeal asked the Court of Justice in Luxembourg who is competent to bring legal proceedings against a company in the event of cross-border infringements. Is it only the leading DPA or can any national DPA do so?

One DPA to rule them all

We are still waiting for a judgment from the Court of Justice, but Advocate General Michal Bobek has already shared his opinion. These opinions are almost always followed by the Court of Justice. In his opinion, he clarifies that DPAs do indeed have the power to take infringers to court, but in the case of cross-border disputes, this power is limited. In that case, only the leading DPA may initiate proceedings in consultation with the other competent authorities. 

This is called the one-stop shop mechanism. This means that a company can only be sued in the first instance by the DPA of its registered office. In the Facebook case, this means that the Irish DPA has the authority to initiate proceedings in the first instance. However, it should always do this in close cooperation with the other DPAs. Mind you, the victims of infringement can still start proceedings in their own country against companies with a registered office in another country. 

The Advocate General emphasises that in five cases the national DPAs can initiate legal proceedings when they are not the leading DPA:

• For breaches outside the framework of the GDPR. For example, the French DPA (CNIL) has already imposed fines in this context for breaches of the cookie rules in the ePrivacy Directive.
• In the case of cross-border processing operations carried out by public authorities in the public interest or in the exercise of their official powers or by controllers not established in the European Economic Area.
• When the controller has no establishment in the European Economic Area.
• For urgent measures.
• After the leading DPA has decided not to hear a case.

It will now be several months before the Court of Justice gives its final ruling on the case. After that, the Brussels Court of Appeal will rule on the case, taking into account the Court of Justice’s replies. 

Effects 

A possible consequence of this situation is that some companies will move their headquarters to the country with the least stringent DPA. Indeed, some DPAs are more lenient on certain issues than other DPAs. 

Would you like to know more about which DPAs are competent for your processing activities or privacy and GDPR in general? You can always contact us at bart@siriuslegal.be and matthias@siriuslegal.be. 

2020 was a turbulent year for the entire world for obvious reasons, but also specifically when it comes to GDPR the year did not go unnoticed. Anyone who has followed our blog in the past year has undoubtedly noticed that many companies throughout Europe have been fined, sometimes very high. Google, Amazon, Marriott, Ticketmaster, H&M, British Airways, Vodafone, … The list of names of companies that ran into difficulties is quite impressive. Moreover, there was a lot of fuss about the impact of the Planet 49 judgment and last summer also the Schrems II judgment.

At almost literally the very last minute, 2020 brought two more important novelties that we did not want to keep from you at the start of the new year: Brexit is a fact and against all odds a Brexit deal was found, which also includes data exports to the UK and in addition, but in the same sphere of data export, the European Commission published its long-awaited draft version of the new Standard Contract Clauses for data export outside the EEA. We summarize both briefly below.

The impact of the Brexit deal on data export 

It seemed like The never-ending story, but at the very last minute, the EU and the UK have finally reached an agreement on (the broad outlines of) their cooperation after Brexit. This agreement also includes one short passage on data protection and data export between the UK and the EU.

After all, from 1 January 2021, the UK will be a ‘third country’ under GDPR. We explained earlier that without a Brexit deal that would mean that the UK would suddenly have to be equated with Russia or China in terms of data exports, since the UK cannot automatically be included in the list of “safe” countries, which are considered to offer an equivalent, adequate data protection level as the EU itself. That would mean that anyone sending data to the UK would have to start working on the implementation of the necessary alternative safeguards for data export. In most cases this would mean that agreements would have to be provided on the basis of the Standard Contract Clauses of the European Commission, possibly supplemented with the necessary additional guarantees in the light of the Schrems II judgment. In addition, existing Binding Corporate Rules would have to be replaced if approved by the UK ICO (which is no longer a European data protection authority) and many UK companies would have to appoint a representative in the EU.  

Fortunately, the Brexit agreement remedied this at the last minute in the form of a commitment on the part of the EU to quickly grant the UK an adequacy decision and, in the meantime, to grant the UK temporary adequacy for a period of up to six months. As a consequence the UK can, at least for the time being and pending formal recognition, be considered a safe third country. The agreement works in both directions, so also for data that flows from the UK to the EU. Data exchange with the UK can – for the time being at least – continue undisturbed and without further legal or administrative intervention. 

There is one small reserve for now: although the Brexit agreement has been provisionally in force since January 1, 2021, it still needs to be formally approved by the European Council and the European Parliament before it can be ratified and fully implemented. The deal also has to be approved by the British Parliament. If the agreement is still not approved, the previously foreseen problems regarding data exchange after Brexit threaten to emerge soon …

New Standard Contract Clauses

Just as long awaited as the Brexit deal were the new versions of the Standard Contract clauses for data export outside the EU. After all, the old versions were not aligned with the terminology from the GDPR and were very clumsy to use. Moreover, the Schrems II ruling made it clear last summer that the existing SCC’s are insufficient as a legal basis for data export outside the EEA (the EU, expanded with Norway and Liechtenstein). The European Commission has therefore been working on an update of the existing contract clauses for a long time.

In the meantime, on November 12, 2020, the European Commission has made its proposal for modified and supplemented SCC’s public for consultation. The envisaged consultation period has ended shortly before Christmas. The European Commission is now processing the received feedback in its final versions and is also awaiting, among other things, the final advice from the EDPB on appropriate additional safeguards for data export (following the Schrems II judgment). The intention of the Commission is to immediately encapsulate those safeguards in the SCC’s contractually, in order to ensure smooth and secure data exports outside the EEA based on the new SCC’s without any additional hassle.

The Commission provides for a transition period of 12 months for companies from the date the final version will be made public to implement the new SCC’s. Anyone who exports data on the basis of the old SCC’s or on the basis of the Privacy Shield that has since been annulled should therefore keep an eye on the Commission website.

The new (for now draft) SCC’s have a modular structure. There is one central version of the SCC that can be adapted based on additional text modules to cover four hypotheses:

• Exchange between two (or more) controllers 
• Transfer from a controller to one (or more) processors
• Transfer from a processor to one (or more) more) (sub) processors
• Transfer from a processor to one (or more) controllers

The draft SCC’s focus much more than before on transparency, no doubt prompted by the Schrems II judgment. For example, when transferring from controller to controller, the data importer must provide a lot of information to the data subjects (directly or through the data exporter), such as the identity of the data importer and details of the intended processing.

The draft SCC’s also contain the obligation to sign a corresponding SCC with the receiving third party in the event of further data transfer by the data importer to such third party or to provide another sufficient legal basis.

The SCC’s also provide by default a guarantee by the data importer that no local law will affect his obligations as a data recipient. To this end, the parties must prepare an impact assessment in advance precisely to verify the possible impact of local legislation. In addition, the data importer must immediately notify the data exporter – and, if possible, data subjects – of access requests by local authorities and, for example, also to take appropriate legal action against illegal access requests.

The SCC’s also receive an extensive appendix this time. Concrete additions are expected by the European Commission with minimal technical and organizational measures to protect data during export. These additions will be based on the final advice of the EDPB on exactly those measures that will be published soon and that will be followed up on the Schrems II judgment.  

The modernization of the Standard Contract Clauses is a step forward in terms of smooth data export outside the EEA, but the fear remains that this will not be sufficient in the long term. Most lawyers are anxiously looking forward to another Schrems judgment, which would this time around be directed against the SCC’s instead of the Privacy Shield like last year. After all, the underlying problem remains the same: no contractual or structural agreement can provide certainty about data security outside the EU. Foreign security services have widespread access, legal or otherwise, to European data and recipients outside the EEA can never guarantee that this could be prevented, even with new and stricter SCC’s …

Nevertheless, you should most certainly give priority to the implementation of the new SCC’s as soon as possible once they are final. We have already explained in a number of webinars (of which the recording is available on our YouTube channel) and on our website (with a handy questionnaire that you can send to partners outside the EEA to estimate whether the data you exchange with them is processed safely and correctly).

Questions about international data transfers or about GDPR in general?

We are happy to make time for an online introduction or you can of course always email or call Bart Van den Brande at bart@siriuslegal.be or on +32 492 249 516.

An important principle that companies must take into account when processing personal data is the principle of storage limitation. According to that principle you have the obligation to organise the “data lifecycle” of the personal data that you process and, more specifically, to set and monitor maximum retention periods for those personal data.

It is not always easy to determine exactly how long the personal data can be stored and many companies are struggling with this. How long can you store which personal data? How long is it “necessary” to store personal data? What should you take into account when setting retention periods? Can you always freely determine the storage periods?

In this article, we try to answer these questions on the basis of a practical guide from the French supervisory authority (the Commission Nationale de l’Informatique et des Libertés, or CNIL).

The data lifecycle, what is it?

Almost every company processes personal data. Data is collected, organised and stored, updated and further used, possibly forwarded and eventually deleted. The set of processing operations that personal data undergoes forms the life cycle of personal data.

In its practical guide, the CNIL divides this life cycle into three subsequent phases:

• The current use (“active basis”) of personal data: this stage concerns the current use of personal data by the various departments within the company responsible for processing them. In concrete terms, this means the collection of personal data and their daily use within the company. The personal data are accessible in the immediate working environment for the various stakeholders who have to work with the personal data.
• The interim archiving of personal data: the personal data are no longer actively used to achieve the recorded purposes (“closed files”), but are still of interest to the company because they can be useful later, for example in the context of possible future disputes or to comply with a legal obligation. The personal data may be consulted later than in an ad hoc and reasoned manner by specifically authorised persons.
• The final archiving of personal data: this concerns personal data that are archived without a time limit. It concerns processing carried out for the purpose of archiving in the public interest, scientific or historical research or statistical purposes. The CNIL notes that this last stage is mainly relevant for the public sector. 

The CNIL emphasises the basic principle laid down in article 5 GDPR that personal data must be definitively deleted at the end of the intended processing, in other words: when the purpose for which your data was used has been achieved.

This does not mean that data should be systematically deleted everywhere and in all cases. Personal data can be used for various successive applications (and therefore purposes) and a different retention period may apply for each application and purpose.

For example, it is possible in certain cases to temporarily archive or anonymise personal data. In this respect, permanent anonymisation is on the same footing as deletion, since anonymised data are no longer personal data.

How do you determine appropriate retention periods?

The GDPR does not determine exactly how long personal data may be retained. In other words, the regulation does not provide a list of predetermined retention periods.

However, the CNIL does now provide some useful guidelines:

• Sometimes the law determines how long you may or must retain data (for example, the retention of certain accounting documents).
• There are also sector-specific guidelines from some supervisory authorities, such as the CNIL itself (see for example its “reference frameworks“, such as reference RS-001 “the management of health monitoring”).
• In some cases, references can also be found within the sector, for example in sector codes.

The CNIL offers an evaluation scheme to help companies determine retention periods. That scheme can be found here.

Some concrete examples

• How long can I retain (personal data in) the invoices from my accounts (bookkeeping)? 

Each company has the obligation to keep its accounting documents for 7 years from the first day of the year following the closing of the financial year (Royal Decree of 21 October 2018).

Documents relating to construction and renovation – including invoices and contracts for (the sale of) real estate property, contractors and architects – are even subject to a retention period of 10 years.

This means that the retention period for personal data from accounting documents can be set at a minimum of 7 years, in some cases even 10 years.

• How long should/may I retain (personal data in) a CV or an employment contract?

A large number of social documents are subject to a mandatory retention period of 5 years (Royal Decree of 8 August 1980). The justification for the retention of personal data in these documents is therefore easy to find.

Furthermore, the purpose of processing the concrete personal data is of course important.  

The Dutch supervisory authority, called the Autoriteit Persoonsgegevens, states that it is customary for an organisation to delete application data no later than 4 weeks after the end of the application procedure. However, the candidate may give his/her consent for the personal data to be stored for a longer period of time, for example because a suitable position for the candidate may be available at a later date. A maximum period of 1 year after the end of the application procedure is reasonable in the opinion of the Dutch supervisory authority.

For personal data in an employment contract, it is logical that the data should be kept for the period during which the employment contract is executed. The retention of such data after termination of the employment contract is perfectly possible, for instance on the basis of the above-mentioned mandatory retention period for a number of social documents (depending on the specific case).

• How long can I retain a customer’s contact details? 

Also in this case the purpose of processing the concrete personal data is important.  

When it comes to the data that is needed to execute an ongoing agreement, few questions arise. As long as the contract is in force (or more concretely, as long as certain obligations in the contract are executed or remain relevant – for example, guarantee provisions), personal data can be retained.

If the same personal data is also retained and used for another purpose (in addition to the execution of an agreement), such as for direct marketing purposes, then you can of course retain the data for a certain period after the termination of the agreement. 

Finally, you can find another interesting example in this article “Retention periods under GDPR: Interesting decision by the Austrian supervisory authority“. 

What if the personal data are also processed by your company’s partners (suppliers, subcontractors, etc.)?

Personal data that you, as the data controller, pass on to a data processor remains your responsibility. You must therefore ensure that the personal data is stored correctly and ultimately deleted by your partner (the data processor).

The obligations of the data processor have to be included in a data processing agreement and the data processor has to receive clear instructions, including on how to store the personal data in accordance with the specified retention periods. 

Useful tips on the use of data processing agreement can be found in our article “data processing agreement with your website developer or hosting provider“. 

Would you like to take further concrete steps towards GDPR compliance yourself?

Then be sure to take a look at our GDPR toolkit, which you can find here.

Questions about GDPR and data protection in Belgium or Europe, or more specifically about retention (periods) of personal data?

Feel free to contact us: bart@siriuslegal.be or michiel@siriuslegal.be

Earlier this week, a document (albeit internal and confidential) became public, in which the Belgian Data Protection Authority, in the context of an investigation following a complaint, is examining the Transparency and Consent Framework of iab Europe in a particularly critical way.

The GBA is of the opinion that TCF, which is the standard in the online marketing world for collecting and sharing online profile data with a view to offering personalized online advertisements, would be fundamentally contrary to GDPR on several points.

This is a first report, not a final decision, but it can have very far-reaching consequences for the entire online marketing world and the way personalized ads are displayed to website visitors.

A potential bomb under the online marketing world in other words …

What is the IAB TCF?

The so-called Transparency & Consent Framework of IAB Europe, or TCF for short, is a standard that is used within the online advertising sector to obtain permission for the placing of cookies and other trackers that should enable advertisers to show website visitors targeted, personalized advertisements across different websites based on their surfing behaviour or their online preferences and profile information.
TCF is also the engine behind Real Time Bidding or RTB, which allows advertisements in “real time”, through automated auction platforms to bid in a fraction of a few milliseconds on a particular ad space on a particular website that is just being visited by someone within the target audience of the advertiser.

Why is this a problem?

Personalized advertising in itself is a good thing without a doubt. After all, relevance is king in online marketing. As an advertiser, you want to be able to deliver the right message to the right person at the right time. Only then can you be sure that your message will get through. People are inundated with advertising messages and only record what really concerns them personally. That is better for the advertiser, who spends less money with unnecessary advertisements, and for the website visitor, who is not disturbed with irrelevant content.

However, there is a serious legal sting to that relevance. After all, creating relevance requires knowledge of your audience and you build that knowledge with as detailed profile information as possible.

That profile information does not fall out of the blue, of course. This is where GDPR and cookie regulations (ePrivacy) come into play. Both require absolute transparency and an appropriate legal basis that allows you to collect data and share it with third parties. In the case of cookies, this legal basis is always prior consent. In the case of GDPR, theoretically, this can also be done without permission, on the basis of the legitimate interest. However, the Belgian Data Protection Authority was very strict at the beginning of this year in its analysis of the legitimate interest in the context of direct marketing (which, according to its analysis, also includes online marketing). As a result, also under GDPR, a de facto free, prior and informed consent is required to collect personal data for online marketing purposes such as RTB …

The problem for a whole range of privacy activists (as many as 22 organizations from 16 countries) complaint to the GBA) lies in the determination (they believe) that this permission is absolutely not obtained correctly within the TCF framework. They have therefore collectively filed a complaint with the Belgian Data Protection Authority. The reason for filing the complaint in Belgium while it concerns a European platform is simple: iab Europe has its offices in Brussels.

What does the GBA say?

The GBA follows the complainants in a first – admittedly interim – report. She confirms that she also believes that the current way of data processing within the TCF framework is not in accordance with GDPR.

Perhaps the biggest objection of the GBA is that according to it, iab itself is responsible for the processing of data that is collected and processed through its TCF framework by advertising agencies and advertisers. After all, according to the GBA, iab Europe (co-) determines the purpose and means for the processing and that makes it a controller under GDPR. This also means that iab Europe has a whole series of obligations regarding transparency, obtaining consent, privacy by design, etc., which GDPR imposes on controllers of the processing.

We personally have questions about this approach because of the GBA. After all, iab only makes one tool available. It does not determine itself which data is collected, nor does it itself determine the purposes for which these data are processed by the recipients concerned. This seems at least open to criticism …

It is more difficult to refute the conclusion that when collecting profile data of website visitors via the TCF framework, “sensitive data” (or “particularly protected data”, as the GDPR actually calls them) may also be collect. this concerns, for example, medical data, data on sexual preference, political preference, etc ..; Under GDPR, this data may only be processed if you have received separate explicit consent from the data subject, which is usually not the case with online collection via cookies or trackers. All this, if the first conclusions of the DPA cannot be refuted by iab Europe, is a fundamental fault line between TCF and GDPR, one that is also very difficult to reconcile, taking into account the countless administrations and advertisers that now have such sensitive data. through TCF and which they also use daily in RTB campaigns.

Equally worrying for the future of TCF is the fact that TCF actively encourages the use of the legitimate interest as the legal basis for the processing of personal data in the context of online profiling and personalization. However, the Belgian Data Protection Authority already indicated last January in its Direct Marketing Recommendation that the legitimate interest can only serve as a legal basis for (direct) marketing purposes in very exceptional cases. However, consistently requesting separate consent for each collection and transfer of personal data is virtually impossible. The number of parties that intervene in particular in the Real Time Bidding process is so great that this seems difficult to achieve in practice.

In addition, the Belgian DPA has serious reservations about the security of the entire TCF system, in the sense that too few guarantees are built into the framework itself to guarantee the rights of the data subject. This too touches on one of the cornerstones of GDPR, making it a serious deception for the TCF.

Broader context: the end of third party cookies

All this did not come out of the blue. Anyone who has monitored our website, our publications and our presentations over the past year knows that a landslide is underway in the online marketing world and especially in the context of the use of cookies and other trackers to collect data from website visitors. .

This landslide received widespread attention last year when first the European Court of Justice and then the Belgian Data Protection Authority also took a hard look at websites that place cookies on the device of visitors without the prior free and informed consent of that same website visitor. But underlying things had been bubbling for a long time. Apple had previously announced that it would block all third party cookies (which mainly collect personal data for marketing purposes) via its ITP 2.1 protocol. Mozzila Firefox soon followed and went a step further by also blocking fingerprinting by third parties and when Google subsequently announced that third party cookies would also be blocked in Chrome from 2022, it was clear that the online marketing world was for one of the the greatest technical, practical and legal challenges of its existence and in which it will have to learn to survive in a context of cookieless advertizing …

We have already discussed this more dance once in the past year, including in Obsessed by Marc Bresseel and Renout Van Hove and in an extensive Cookie Cahier that will soon be published by Politeia Publishers. This week it is also exactly the subject of our legal webinar at BAM, the Belgian Association for Marketing.

What does this mean in practice?

In the longer term, the entire sector will have to shift to a different way of advertising, to more contextual campaigns, to using more of its own profile data (whereby the same questions about GDPR compliance and the use of analytics cookies in particular will continue to surface again and again).

Not much will change in the short term. The leaked report is just an interim report. iab Europe will still be able to defend itself (by 7 December 2020 at the latest) and there are certainly a whole series of useful arguments conceivable to water down the final position of the GBA. The final decision is not expected until the course of 2021.

However, all this is a sign on the wall for anyone who collects and processes personal data online, both within and outside TCF. More than 80% of websites in Belgium are still not cookie compliant and over 66% of Belgian companies are not yet GDPR compliant. In our practice, we see daily examples of marketing departments at large national and international companies in banking and insurance, industry, automotive, … that do not master the basics of a GDPR compliant marketing policy. The risks that this entails are magnified by the exponential growth of marketing automation tools, customer data platforms and other adtech toys that flood the market with promises of endless possibilities, but which very often do not comply with the basic rules of our privacy legislation.

So be careful. Have a GDPR compliance audit carried out on your marketing department in good time, think of Data Protection Impact Assessments before you get started with new tools and software and also consider an extensive cookie scan on your website (s) in time.

Questions about GDPR compliance for marketing departments?

Feel free to contact Bart Van den Brande without obligation. You can call or email us on 0486 901 931 or at bart@siriuslegal.be or you can also book a no-obligation introductory meeting via Google Meet directly.

Schrems-II is not a look-alike of the Austrian privacy activist Max Schrems and it’s also not the name of his child. It’s the name of his second victory early this summer at the European Court of Justice. We already wrote an article about it because the consequences of this judgment are enormous for data exports abroad. No grace period was granted so each company that exports data to a third country immediately had to put its affairs in order. Schrems also did not allow himself a resting period, but immediately filed 101 complaints with various data protection authorities in the EU. Belgian companies have not been spared either: a complaint has already been lodged against bpost.be, neckermann.be, logic-immo.be and flair.be. So this is not something that doesn’t concern you, you’re exporting data to the US before you know it. Numerous frequently used tools such as Google Analytics, Hubspot, Sharpspring, Facebook and Twitter export data to the US, so almost every Belgian company is affected.

Recently a German data protection authority (from Baden-Württemberg) was the first to issue more concrete guidelines on how life continues after the Schrems-II judgment. We have studied these guidelines thoroughly and summarised the main findings in a number of concrete steps. 

Step 1: Make an inventory of all data that you export to third countries

If you already have a data register, this is an easy step for you and you can immediately go to the next step. If you are not familiar with the word ‘data register’, we will gladly provide some further explanation.

The General Data Protection Regulation (GDPR) imposes an obligation on every controller to record all processing activities that take place under its responsibility. In concrete terms you map out a number of things in a data register for all the data you collect: the purposes, the means, the legal bases, the risks to the privacy of those involved, the access to that data, the transfer to third parties,… This provides an overview of all data flows within the company. It considerably simplifies possible inspections and audits.

You can use a number of qualitative questionnaires or evaluation tools for this, but of course Sirius Legal can offer you specialized assistance. 

Step 2: Contact your service provider / contracting parties in the third country

We recommend you to inform all your contracting parties, service providers, etc about the Schrems-II judgment and its consequences. Sirius Legal has created a standard letter template for this with a Data Export Impact Assessment. You can download this template for free at the bottom of this blog post.

The term ‘third country’ doesn’t mean every country other than your own, but rather every country outside the European Economic Area, which is the EU expanded with Norway, Iceland and Liechtenstein.

Step 3: Check whether there is a decision on an adequate level of protection in the third country 

For some third countries, the European Commission has decided that this country offers an adequate level of protection (‘an adequacy decision’), so you can export data to those countries based on that decision. The full list of those countries can be found on the website of the European Commission. Currently negotiations are ongoing with South Korea. We will of course follow this closely and keep you continuously informed about any changes through our blog and social media.

Step 4: Assess the legal situation of the third country 

In the case of data export to a third country where there is no decision on an adequate level of protection, we arrive at the next step. In that case, the data protection authority of Baden-Württemberg recommends a thorough investigation of the legal situation of that third country. In this context, it is particularly interesting to check whether national safety authorities can gain access to the exported data.

You can consult your national data protection authority for this (in Belgium this is the GBA, in the Netherlands the AP, in France the CNIL and in England the ICO), the European Commission, the EDPB, your national ministry of foreign affairs, … 

We understand that this is a complicated and time consuming job. Sirius Legal has an extensive network of foreign lawyers specialized in these matters. This allows us to make our own ‘adequacy assessment’ for almost every third country.

Step 5: Assess whether SCCs are sufficient 

Now that you are aware of the legal situation in the third country, it is time to assess whether the Standard Contractual Clauses (SCCs) are sufficient. The SCCs have been created by the European Commission for data export to third countries. These are contracts that you can conclude with the controller or processor in that third country. If no problems were found in the step discussed above, you can use these SCCs without any problem. Keep in mind that the European Commission is reviewing the SCCs. If the SCCs do not suffice, go to the next step.

Step 6: Create additional guaranties and use customised SCCs 

The Baden-Württemberg data protection authority proposes a number of additional safeguards. First, the encryption of the data on your end. In that case, make sure that you as an exporter are the only one with the ‘key’ to decrypt the data and that the encryption cannot simply be unlocked. We invite you to read the article ‘Is encryption mandatory under GDPR’ (only available in Dutch for the moment) if you want to know more about encryption.

Second, the anonymization or pseudonymization of the data on your end. This ensures that the recipient of the data cannot simply know who the datasubject really is. Keep in mind that this process often starts before you even enter the data or upload it somewhere.

Subsequently, the Baden-Württemberg data protection authority proposes a number of concrete adjustments and additions to the SCCs:

• An obligation for the data exporter to inform the data subject that his or her data is exported to a third country that does not provide an adequate level of protection;
• An obligation for the data importer to inform both the exporter and the data subject of any request for access to the data. If this is not possible, the obligation to notify the exporter’s national data protection authority;
• An obligation for the data importer to take legal action against any request for access and exhaust these legal measures;
• The granting of more rights to the data subject in a dispute with the data importer and the addition of a compensation clause.

Step 7: And if none of that helps …

It is possible that all of the above measures are either not possible or still do not provide sufficient guarantees. In that case, the Baden-Württemberg data protection authority states that an alternative option exists, but it emphasises that this alternative is interpreted very strictly and is therefore little accepted as a reason for exporting data to a third country. This includes, for example, the possibility to request the consent of the data subject for the data export. However this consent must meet all the requirements of the GDPR. In other words the consent must be free, specific, informed and unambiguous.

If all of the above did not help, it is probably safer to stop the cooperation with the partner.

A warned company counts for two

Our previous blog post about the Schrems-II judgment and this blog post should provide you with a running start. A number of recommendations and guidelines will surely be provided by other data protection authorities in the near future which will hopefully provide more clarity. We will of course continue our investigations and inform you about it on our blog and social media. For now you can already start with the following steps:

Step 1: consult your data register / set up a data register

Step 2: inform your service providers / contracting parties

Step 3: check whether a decision has been made about the appropriate level of protection

Step 4: assess the legal situation

Step 5: check whether SCCs are sufficient

Step 6: if not, create additional guaranties and close custom SCCs

Step 7: stop the data export / find an alternative

Do you have questions about data export under GDPR or need help with an audit of your current contracts?

Feel free to call or email us. Our team will be happy to help you. You can call or email us on +32 2 721 13 00 or at bart@siriuslegal.be or matthias@siriuslegal.be.

Request a template letter and Data Export Impact Assessment

Here you can download the template of a letter with a Data Export Impact Assessment which you can use in your communication to third parties in countries outside the EEA.