Blog Privacy and data protection

Since last summer’s Schrems II judgment, about which we have repeatedly reported on our blog, exporting personal data outside the EU has become quite cumbersome. In particular, the disappearance of the “Privacy Shield” between the EU and the US is causing a lot of complications and forces European companies to conclude Data Export Agreements on a large scale with non-European (usually American) partners containing so-called “Standard Contract Clauses”.  These SCC’s are model documents that are made available by the European Commission to be copy/pasted into Data Export Agreements and thus guarantee safe export at a contractual level.  

However, one of the major problems until now when concluding Data Export Agreements was that the European Commission’s SCC’s or Standard Contract Clauses were outdated. They dated from before the entry into force of the GDPR and were not adapted to that GDPR, nor to the current technological and economic reality.  

Those old SCC’s have now finally been replaced by new, fully up-to-date versions since June 6, 2021, and European entrepreneurs can now get started to conclude legally conclusive and secure Data Export Agreements with their partners outside the EU. We provide a summary below of what you need to know about these new and SCC’son our download page you will also find a downloadable copy of the new SCC’s, along with our Vendor Assessment Form that you can use to determine whether or not your foreign partners are do not receive personal data from you and whether they handle it correctly and in accordance with GDPR. This way you can work quickly, clearly and with a minimum of effort on GDPR compliance within your company. 

Data Export?

Data export is any exchange of data with a partner outside the EU. It could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside of Europe, a cloud storage service, an email service provider or just about any online service or tool you can imagine. 

GDPR only allows data export to countries outside the EU if the recipient outside the EU can guarantee an appropriate level of protection.  

A handful of countries are automatically considered to offer an appropriate level to provide protection, but for most other countries data export since the end of the EU-US Privacy Shield requires a Data Export Agreement, in which written data protection guarantees are made.

“Appropriate additional guarantees”

Since the Schrems II judgment, we know that simply signing (the old version of) the SCC’s is not sufficient in itself to ensure safe data export. As a European entrepreneur, you have the obligation to carry out a documented assessment of the risks involved for every data export and to request, if necessary, from the recipient “appropriate additional guarantees.” We have already listed several times for you in this article about Mailchimp or in this webinar on our Youtube page.

New SCC’s are “Schrems proof”

The new standard contractual clauses are not only fully customized to the text and content of the GDPR, they have also been made “Schrems proof”. That is to say, they contain many clauses that meet the requirements of the European Court of Justice to make a prior risk assessment and to demand additional guarantees where necessary as set out by the Schrems II judgement.  

Please note that this does not mean that a separate risk assessment and additional separate guarantees are no longer necessary. As an entrepreneur, you still have to carry out the necessary preliminary investigations before exporting personal data outside the EU, but the new SCC’s are in any case already provided for this obligation in terms of content, which was not the case with the old ones.

“Modular” approach

In the past, a number of “versions” of the SCC’s coexisted. Depending on the situation, you could choose one of those versions and incorporate it into an agreement, for example for data export between a European controller and a non-European processor.

That system is now replaced by one global set of SCC’s, which you can adapt to your personal situation by copying/pasting or omitting individual clauses (modules). According to the European Commission, this should lead to more ease of use, but personally, we fear that it threatens to do exactly the opposite and seriously impede the use of these model documents by non-lawyers. 

That one global version of the SCC’s now also provides for two previously missing situations for the first time: the transfer by a processor in the EU to a controller outside the EU and the transfer from a processor in the EU to another processor outside the EU. 

Replace your existing SCC’s in time, with our help at Sirius Legal!

The existing SCC’s are still valid for three months for new data exports. A grace period of 15 months applies for existing data exports, but after that all existing Standard Contract Clauses must also be replaced by the new regulations. 

Since the content of the new SCC’s has changed considerably and (there are a lot of new additional guarantees and obligations for instance), this means that as a company you will have to renegotiate a lot of those existing mode contracts or that you will at least have to carefully review the new versions before signing. 

Sirius Legal helps you with that. You can visit our website for our “Data Export Compliance” service, with which we help your company through the maze of old and new SCC’s and “additional appropriate measures”.

In any case, make sure you have a good overview of all your data exports in a spreadsheet, check with whom you do or do not have a current Data Export Agreement and ensure a timely invitation to adjust if one has already been concluded in the past or to close of a new Data Export Agreement if none had been concluded before.  

Do not forget to carry out an individual impact assessment and to properly document this. If one day there is a cyber attack or hacking at one of your suppliers and it turns out that you did not follow the rules before entrusting your data to him or her, you quickly risk being liable for the consequences of such a data breach… 

Be aware that data export is a point of attention for many governments, including our Belgian Data Protection Authority. The German authorities, for example, announced this week that they will carry out extensive checks on data exports by German companies. Those checks will primarily focus on the use of email service providers, hosting companies, tracking via cookies, application management and the exchange of customer data within groups of companies, for example based on Customer Data Platforms.

Questions about data export or GDPR in general?

We are happy to make time for you. Feel free to call or email Bart Van den Brande at bart@siriuslegal.be or +32 492 249 516 or book a free online introductory meeting with Bart via Google Meet or Zoom.

A recent decision by the Bavarian data protection authority raises serious doubts about whether the popular email marketing platform MailChimp can be used legally under the GDPR.  

By extension, the same problem arises for almost all US software applications that process personal data of EU citizens. After all, data export to the US has been a serious legal issue ever since the European Court of Justice annulled the Privacy Shield last summer and at the same time pointed out that the use of Standard Contract Clauses as an alternative is rather difficult because it requires a case-by-case examination of the need to implement additional security measures to ensure data privacy.  

It is precisely that issue of additional measures that is now highlighted by the Bavarian Mailchimp decision.

Data export?

The impact of the Schrems II ruling of the European Court of Justice last summer has had an increasing impact in Europe over the past few months. Many companies have hesitated about how to react to the ECJ’s decision last summer to overturn the EU-US Privacy Shield. After all, almost all software tools that European companies use today are American and since most of them are now cloud services or online tools, there is by definition data export to the US…

The problem only got worse by the fact that in the same effort, the ECJ also added that in the event of any data export outside the EU (also to destinations other than the US), the exporting company must also immediately take into account the fact that the Standard Contract Clauses that the European Commission itself provides to guarantee secure data export between companies and organizations within and outside the EU are not sufficient.

The Schrems II judgment requires that transfers of personal data to cloud service providers in the United States be assessed on a case-by-case basis and if there is a risk to the integrity of the data in question, additional security safeguards must be provided. These additional safeguards are almost automatically imposed on exports to the US, given the very far-reaching investigative powers of the US intelligence agencies, for example under section 702 (50 USC § 1881a) of the Foreign Intelligence Surveillance Act (Cloud Services Act).

Using Mailchimp not OK?

It sounds almost absurd, but the Bavarian data protection authority (Bayerisches Landesamt für Datenschutzaufsicht) earlier this month banned a European online magazine from using Mailchimp any longer to send its newsletters.

The reason? Well, by using Mailchimp to send newsletters, companies are sending personal data (e.g. email addresses and recipient names) to Mailchimp’s servers in the United States and that is potentially not OK.

The Bavarian Data Protection Authority justified its decision by noting that the company had not previously investigated whether additional safeguards were needed for the transfer of personal data to Mailchimp, in particular because Mailchimp may be subject to the Cloud Services Act. 

Note in this context the important nuance that the Bavarian Data Protection Authority did not rule that MailChimp is per se illegal. Instead, it ruled that in this particular case, the company’s use of MailChimp was illegal because the company had not previously assessed whether adequate additional measures had been taken to ensure that its personal data was protected from access by U.S. regulatory agencies. 

Additional guarantees?

Following the already mentioned Schrems II judgment, European companies should indeed have started a broad data export audit or “vendor assessment” within their company in order to determine if:

• there is data exchange outside the EU / EEA
• there is an appropriate legal basis in accordance with Chapter V GDPR (standard contract clauses, binding corporate rules or one of the other less common and obvious legal grounds)
• the data concerned is in any way particularly sensitive and whether the data export as such can be justified
• additional safeguards may or may not be required on the receiving end of the data flow
• More in general, whether the receiving party can guarantee all-round GDPR compliance

This exercise should obviously and based on the accountability principle under GDPR be  documented in detail and that is precisely why we at Sirius Legal have been offering since last September a free Data Export Impact Assessment form on our website. That form has now been downloaded hundreds of times by companies all over Europe, by the way.

Incidentally, the EDPB has already listed some additional measures to be taken some time ago in its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” of 10 November 2020. In this document, various data export scenarios are proposed and each time an indication is given on a case-by-case basis about how to ensure a secure exchange of personal data or which method is certainly not sufficiently secure.  

The recurring message in that document is the need to encrypt personal data before exporting it and to make use of proprietary (preferably European) encryption techniques prior to export and separate from the platforms’ own encryption technology.  

The use of Mailchimp also falls within this context. After all, personal data is exported to the US, where Mailchimp is considered a telecom provider under FISA legislation, which means that it potentially has to provide access to its customer data to the US government. Therefor encryption is necessary. Only… the use of Mailchimp actually does not allow such encryption from a technical point of view and as a consequence it is hard to imagine how a European company can use Mailchimp in a legally compliant matter…

Mailchimp as a wake-up call?

Until now, it seemed that the European data protection authorities had turned a blind eye for the time being and had given some kind of unofficial grace period for European companies and organizations to adapt to the changed legal situation after the Schrems II judgment. This certainly also had to do with the fact that the aforementioned Standard Contract Clauses are being reviewed and updated by the European Commission at this very moment.

However, the actions of the Bavarian Data Protection Authority now show that things are now getting serious and that companies will eventually have to ensure a secure exchange of personal data with their non-European partners. In a press release accompanying the Mailchimp decision, the Bavarian authority noted that in its view this case is an example of how the Schrems II judgment will be enforced in practice in the future. 

Is your software “data export compliant”?

The painfully problematic conclusion is that no American software application currently works completely “GDPR compliant”…

We ourselves at Sirius Legal have conducted a benchmark test in recent months on 10 of the most well-known marketing tools, including Mailchimp, Sharpspring, Hubspot, Active Campaign, Salesforce and a few others. The conclusion is that most of these – all American – providers have adapted in recent months in the sense that they no longer invoke the Privacy Shield as a legal basis, but now refer to Standard Contract Clauses, but that they also all still show several essential shortcomings in the area of data export compliance:

• In some cases, the Standard Contract Clauses are unavailable or in any event nowhere to be found on the website
• most vendors provide either no or only very general and vague “additional safeguards”
• most, if not all, providers rely on sub-processors, of which neither the identity nor the location is sufficiently clear and of which there is little or no guarantee of GDPR and data-export compliance with the sub-processor concerned.   

The same applies by extension to other non-European cloud services or online applications. It is almost by definition so that they are not (completely) GDPR compliant and that any use thereof requires a prior audit and possibly the provision of additional technical or organizational guarantees.

Can European companies no longer use American or other non-European services at all?  

Fortunately, things are not as problematic as they might seems at first sight.  Jumping to the conclusion that all non-EU software should be banned would be absurd in a globalized society and economy as weknow it today.

In the Mailchimp case, the problem was evidently clear, as the company in question apparently had not made any prior risk assessment at all to document whether additional safeguards were needed. That in itself was enough to provoke this decision.  

Future matters will probably lead to a less obvious sanction, at least if the EU companies concerned have made a well-balanced and documented prior risk analysis or even implemented additional safeguards. Which measures will be “sufficient” in which context will only become clear when there is sufficient case law available, but it is evident that the “sensitivity” of the data and the risk of access requests from abroad play a role. In that context, a mailing list for a legal weekly appears much less problematic than the membership list of a political party and in the former case a well-founded preliminary estimate may (?) be sufficient … 

However, this decision should without a doubt be seen as a warning to all companies and organizations in Europe on the importance of due diligence when transferring personal data outside the EU. As a company, it is best to get started as soon as possible with a strict and thorough internal audit exercise on the basis of which you can demonstrate that you have assessed whether or not your data can come into the hands of third parties and especially foreign governments if you use non-European applications.

If necessary, feel free to use our free Data Export Impact Assessment form to collect the necessary information from your non-European partners. 

Also, take into account that if a supplier cannot or does not want to provide information to help you properly assess the potential risks, you will have to consider whether you can continue to work together and that in the worst case you will indeed have to look out for another alternative (preferably European) partner …

Would you like to know more about the practical impact of Schrems II?

Those who want to know more can contact bart@siriuslegal.be or book an online meeting directly via Google Meet.

Or better yet, register for the Schrems II webinar of our international contact network Consulegis “The Practical Impact of Schrems II on International Data Flows”  on April 14th. Speakers from the EU (including Bart Van den Brande for Sirius Legal), the UK, the US and India will discuss all legal and practical sensitivities of international data flows and make time for all your questions and concerns. 

Every so many time yet another new social media platform pops up that, according to insiders and early adopters, is going to change the internet.  

The success of the Snapchats and TikToks in this world has two things in common: on the one hand, their success often fades just as quickly as their hype has started, and on the other – and this is something that the privacy advocate in me finds continuously disturbing- the companies behind those apps never seem to pay any real attention to your and my privacy. In some cases, the main reason for this seems to be a rather disturbing lack of knowledge and understanding of (European or other) data protection laws, but just as often the impression remains that the entire business model of social media companies is built on unbridled data collection with the aim of building user profiles and selling those as ad profiles to advertisers around the globe.

School book marketing strategies

The latest rising star in the social media firmament is Clubhouse, an audio file sharing app that you can only access and use after an invitation by one of your friends. 

In other words, it seems that the authors behind Clubhouse have used a few marketing classics to make their new product a success: creating artificial scarcity by limiting access to your product and counting on the ego of the fortunate few to fuel the hype and to have the masses eagerly await the moment when they too will be included in the inner circle. This technique has proven its success on school playgrounds around the world many years ago, as children fiercely searched for that one rare Pikachu card and even today we all fall for the same strategies…

A word about privacy and GDPR …

But Clubhouse appears to carry the same flaws as so many other success stories in the appstore of your choice. The marketing strategy is well thought through, but no one seems to have really thought about respect for your and my privacy  along the way.

It is not surprising that Clubhouse is now subject of investigations by various European privacy authorities. Both the French CNIL and the state DPA in Hamburg, the HmbBfDI, are currently investigating the way in which Alpha Exploration Co., the American company behind Clubhouse, handles personal data of its current and future users.  

In France, the investigation is the result of a petition against Clubhouse, which has now collected more than 10,000 signatures and anyone who remembers the millions of fines in France for Google and Amazon last December knows that the CNIL is not afraid to strike hard against American tech companies.

Your contact details processed without you knowing … 

One of the biggest issues with Clubhouse is that the whole story is based on a member-get-member system, where existing members upload their digital phone book and open it up to Clubhouse. Based on that phone book Clubhouse invites new users or has them invited by its users.  

In other words, even if you have not yet received an invitation today, Clubhouse has probably already processed your personal data without your permission via one of your friends or acquaintances and that in itself is very problematic.  

Just a few months ago, the Belgian GBA imposed a hefty fine on dating website Twoo in very similar circumstances, arguing that no valid legal basis under GDPR can be found for the processing of friend data. After all, your friends have not given permission to – in this case – Clubhouse to process their data, nor to you to process and share their data with Clubhouse for that purpose. Nor can Clubhouse and its users rely on a legitimate interest in this context and the processing of contact details of non-users therefore lacks a valid legal basis.  

Incidentally, the need to demonstrate sufficient legal grounds is not an administrative formality. The obligation to have a valid legal basis for any processing of personal data is one of the cornerstones of GDPR and of your and my privacy protection …

Clubhouse goes one step further when it comes to the processing of phone book data of its users. Contact data of current users are not only used to invite new members, but also to compile a database with user statistics or profiles about existing and future users. The first information from the CNIL seems to indicate that Clubhouse is selling or may potentially sell that data to third parties (advertisers). Although Clubhouse itself does write in its privacy policy that it “does not sell your personal information“, it does mention a large number of cases where it can potentially “share” your information with third parties, including for “advertising and marketing services” …

Conversations recorded without knowing it…

By the way, did you know that Clubhouse is also recording your conversations? That doesn’t have to be a problem, at least as long as Clubhouse only uses those recordings to evaluate any complaints and then permanently removes recordings from its servers. We do not know whether Clubhouse actually does that, but the previous paragraphs in this article give very little confidence.

No transparency…

The German government in particular is also stumbling over the fact that Clubhouse is not transparent at all towards users. The correct contact details of the company behind Clubhouse (“das Impressum”, as it is called under German law) are nowhere to be found clearly and the privacy policy is only available in English, where GDPR requires it to be written in a language that is understandable (for the average user). In comparison, Whatsapp already got a hefty fine in Germany in 2016 because its terms of use were not available in German. Moreover, the privacy policy is missing a lot of mandatory information, for example the retention periods of your personal data and the names of the parties with whom that data is shared…

Another point on which Clubhouse fails to offer transparency is the data collection by means of cookies and other trackers. Clubhouse itself indicates that it collects data in this way and that it shares this data with advertisers via advertising networks. However, as far as we could determine, Clubhouse does not provide a clear overview of which cookies and trackers are used, which data is collected and with whom exactly that data is shared. Moreover, again as far as we could determine, no free and informed opt-in is obtained for the use of those cookies and trackers …

Data export outside the EU

Exporting personal data outside the EU (for example by storing it on servers in the US) is only allowed under strict conditions and lacks contractual and technical security guarantees. Clubhouse, however, limits its privacy to the short statement that “By using our Service, you understand and acknowledge that your Personal Data will be transferred from your location to our facilities and servers in the United States, and where applicable, to the servers of the technology partners we use to provide our Service”.

Should you do best to stay away from Clubhouse then?

Time will tell whether Clubhouse is just another hype or a stayer in the social media landscape. The above comments do not necessarily mean that you should not work with Clubhouse. Follow the hype if you feel called to do so, there is nothing wrong with that.

But as a consumer and citizen you better be aware of what big tech companies do with your data, so that you can make conscious choices.  

In other words, be careful, inform and read carefully the terms of use and privacy policy for your Clubhouse or any other social media app you use.

Want to know more about GDPR, data protection or social media?

Do not hesitate to contact us via bart@siriuslegal.be or book a no-obligation video call with Bart via this link: https://koalendar.com/events/Meet-with-Bart-Van-den-Brande 

An upcoming judgment of the Court of Justice may have interesting consequences for companies operating in a cross-border context. In a recent opinion on the case of the Belgian Data Protection Authority (DPA) against Facebook, the Advocate General of the Court of Justice wrote that ‘the DPA of the country in which the registered office of a company is located has a general power to initiate legal proceedings against that company. The other DPAs also have this power, but only in a limited number of cases.’

Local and leading authorities

A DPA is an independent government body that, among other things, watches over our right to privacy. Each European country has at least one such authority that exercises its powers within its territory. Sometimes several DPAs can be competent, because data processing problems occur increasingly cross-borders. In that case, there is a leading DPA. This is the DPA of the country in which the registered office of the processor or controller committing the infringement is located. 

Belgium vs. Facebook

The case started about five years ago when the predecessor of the Belgian DPA took Facebook to court. The reason for this was, among other things, the use of tracking cookies. These are cookies used to follow Internet users across different websites. The court initially ruled in favor of the predecessor of the Belgian DPA, but Facebook appealed the decision. Facebook claims that the Belgian DPA does not have the authority to commence legal proceedings against it. It is of the opinion that only the DPA of the place of its registered office is competent to start legal proceedings. In this case, that would be the DPA of Ireland. 

Subsequently, the Brussels Court of Appeal asked the Court of Justice in Luxembourg who is competent to bring legal proceedings against a company in the event of cross-border infringements. Is it only the leading DPA or can any national DPA do so?

One DPA to rule them all

We are still waiting for a judgment from the Court of Justice, but Advocate General Michal Bobek has already shared his opinion. These opinions are almost always followed by the Court of Justice. In his opinion, he clarifies that DPAs do indeed have the power to take infringers to court, but in the case of cross-border disputes, this power is limited. In that case, only the leading DPA may initiate proceedings in consultation with the other competent authorities. 

This is called the one-stop shop mechanism. This means that a company can only be sued in the first instance by the DPA of its registered office. In the Facebook case, this means that the Irish DPA has the authority to initiate proceedings in the first instance. However, it should always do this in close cooperation with the other DPAs. Mind you, the victims of infringement can still start proceedings in their own country against companies with a registered office in another country. 

The Advocate General emphasises that in five cases the national DPAs can initiate legal proceedings when they are not the leading DPA:

• For breaches outside the framework of the GDPR. For example, the French DPA (CNIL) has already imposed fines in this context for breaches of the cookie rules in the ePrivacy Directive.
• In the case of cross-border processing operations carried out by public authorities in the public interest or in the exercise of their official powers or by controllers not established in the European Economic Area.
• When the controller has no establishment in the European Economic Area.
• For urgent measures.
• After the leading DPA has decided not to hear a case.

It will now be several months before the Court of Justice gives its final ruling on the case. After that, the Brussels Court of Appeal will rule on the case, taking into account the Court of Justice’s replies. 

Effects 

A possible consequence of this situation is that some companies will move their headquarters to the country with the least stringent DPA. Indeed, some DPAs are more lenient on certain issues than other DPAs. 

Would you like to know more about which DPAs are competent for your processing activities or privacy and GDPR in general? You can always contact us at bart@siriuslegal.be and matthias@siriuslegal.be. 

Last week Sirius Legal met with the Belgian Data Protection Authorty as the legal representative of the united Belgian digital industry about the use of analytics cookies.  

On 7 January sector organizations  ACC, BAM, Cube, Feweb, SafeShops.be, UBA and UMA (representing agencies, advertisers, web builders and webshops) met with Belgium’s DPA to convey their concerns about the way in which prior explicit consent must be requested for the use of analytics cookies in online environments today. The sector organizations, which together represent the broad spectrum of the Belgian online world, did so on the basis of an extensively substantiated position paper that was written by Sirius Legal.  

Concern about explicit consent for analytics cookies

Major concern in the entire sector is the fact that the obligation to request the consent of website visitors by means of a cookie banner causes very great economic damage to the sector. A lot of website visitors, some statistics speak of more than 80%, simply click away the often annoying cookie pop-ups or do not opt-in.  As a consequence, webshops and online marketers miss out on essential statistical data about website visits and visitor behaviour on their website, that is crucially needed to optimize their web content. This creates a great deal of frustration because in neighbouring countries the use of such analytics cookies is possible without prior consent from the website visitor, which creates a serious competitive disadvantage for Belgian online entrepreneurs.  

The entire industry is very committed to online privacy and welcomes the transparency that mandatory cookie opt-ins bring when it comes to data collection for marketing purposes. However, the industry insisted on the great urgency for the DPA to take action when it comes to (anonymous) analytics data.  The same message will be presented to the competent minister, in order to provide for a similar exception for Belgium as those which already exist in France, the Netherlands or Germany for strictly analytical purposes. High-performance websites, which are adapted to the expectations and needs of the consumer, are in the first place also to the advantage of precisely that consumer. After all, good analytics data makes it possible to offer better services and products, under better conditions and at better prices, to precisely that consumer.  

Position paper and relevant articles

The full position of the sector has been elaborated in a position paper that provides a very good outline of the current issue and reflects the point of view of the entire digital sector. 

Over the past few months, we have written a number of articles about this issue at Sirius Legal and are particularly pleased that our position paper is so enthusiastically endorsed throughout the digital sector. Sirius Legal, together with BAM, the Belgian Association for Marketing, and the other associations, will take the necessary steps to arrive at a proposal for text and negotiations with the cabinet of the Minister Mathieu Michel. We will certainly keep you informed!

Sirius Legal is and has been the legal partner of several of the signing parties to this position paper, including BAM, UBA, SafeShops and Feweb.  These partnerships place us in the center of the Belgian online industry and allow us to offer high quality legal services to the entire industry. 

• No e-commerce without analytics data
• “No cookies without permission”, says the European Court of Justice
• New Cookie Guidelines in France (also relevant for Belgium, article in Dutch)
• Are you completely addicted to cookies? Then this book “Privacy & Personal data: Manual for a good cookie policy” by Bart Van den Brande and Matthias Vandamme is definitely for you!

Questions about cookies or the position paper?

Feel free to contact Bart Van den Brande: bart@siriuslegal or book a short meeting into his agenda using this link.

2020 was a turbulent year for the entire world for obvious reasons, but also specifically when it comes to GDPR the year did not go unnoticed. Anyone who has followed our blog in the past year has undoubtedly noticed that many companies throughout Europe have been fined, sometimes very high. Google, Amazon, Marriott, Ticketmaster, H&M, British Airways, Vodafone, … The list of names of companies that ran into difficulties is quite impressive. Moreover, there was a lot of fuss about the impact of the Planet 49 judgment and last summer also the Schrems II judgment.

At almost literally the very last minute, 2020 brought two more important novelties that we did not want to keep from you at the start of the new year: Brexit is a fact and against all odds a Brexit deal was found, which also includes data exports to the UK and in addition, but in the same sphere of data export, the European Commission published its long-awaited draft version of the new Standard Contract Clauses for data export outside the EEA. We summarize both briefly below.

The impact of the Brexit deal on data export 

It seemed like The never-ending story, but at the very last minute, the EU and the UK have finally reached an agreement on (the broad outlines of) their cooperation after Brexit. This agreement also includes one short passage on data protection and data export between the UK and the EU.

After all, from 1 January 2021, the UK will be a ‘third country’ under GDPR. We explained earlier that without a Brexit deal that would mean that the UK would suddenly have to be equated with Russia or China in terms of data exports, since the UK cannot automatically be included in the list of “safe” countries, which are considered to offer an equivalent, adequate data protection level as the EU itself. That would mean that anyone sending data to the UK would have to start working on the implementation of the necessary alternative safeguards for data export. In most cases this would mean that agreements would have to be provided on the basis of the Standard Contract Clauses of the European Commission, possibly supplemented with the necessary additional guarantees in the light of the Schrems II judgment. In addition, existing Binding Corporate Rules would have to be replaced if approved by the UK ICO (which is no longer a European data protection authority) and many UK companies would have to appoint a representative in the EU.  

Fortunately, the Brexit agreement remedied this at the last minute in the form of a commitment on the part of the EU to quickly grant the UK an adequacy decision and, in the meantime, to grant the UK temporary adequacy for a period of up to six months. As a consequence the UK can, at least for the time being and pending formal recognition, be considered a safe third country. The agreement works in both directions, so also for data that flows from the UK to the EU. Data exchange with the UK can – for the time being at least – continue undisturbed and without further legal or administrative intervention. 

There is one small reserve for now: although the Brexit agreement has been provisionally in force since January 1, 2021, it still needs to be formally approved by the European Council and the European Parliament before it can be ratified and fully implemented. The deal also has to be approved by the British Parliament. If the agreement is still not approved, the previously foreseen problems regarding data exchange after Brexit threaten to emerge soon …

New Standard Contract Clauses

Just as long awaited as the Brexit deal were the new versions of the Standard Contract clauses for data export outside the EU. After all, the old versions were not aligned with the terminology from the GDPR and were very clumsy to use. Moreover, the Schrems II ruling made it clear last summer that the existing SCC’s are insufficient as a legal basis for data export outside the EEA (the EU, expanded with Norway and Liechtenstein). The European Commission has therefore been working on an update of the existing contract clauses for a long time.

In the meantime, on November 12, 2020, the European Commission has made its proposal for modified and supplemented SCC’s public for consultation. The envisaged consultation period has ended shortly before Christmas. The European Commission is now processing the received feedback in its final versions and is also awaiting, among other things, the final advice from the EDPB on appropriate additional safeguards for data export (following the Schrems II judgment). The intention of the Commission is to immediately encapsulate those safeguards in the SCC’s contractually, in order to ensure smooth and secure data exports outside the EEA based on the new SCC’s without any additional hassle.

The Commission provides for a transition period of 12 months for companies from the date the final version will be made public to implement the new SCC’s. Anyone who exports data on the basis of the old SCC’s or on the basis of the Privacy Shield that has since been annulled should therefore keep an eye on the Commission website.

The new (for now draft) SCC’s have a modular structure. There is one central version of the SCC that can be adapted based on additional text modules to cover four hypotheses:

• Exchange between two (or more) controllers 
• Transfer from a controller to one (or more) processors
• Transfer from a processor to one (or more) more) (sub) processors
• Transfer from a processor to one (or more) controllers

The draft SCC’s focus much more than before on transparency, no doubt prompted by the Schrems II judgment. For example, when transferring from controller to controller, the data importer must provide a lot of information to the data subjects (directly or through the data exporter), such as the identity of the data importer and details of the intended processing.

The draft SCC’s also contain the obligation to sign a corresponding SCC with the receiving third party in the event of further data transfer by the data importer to such third party or to provide another sufficient legal basis.

The SCC’s also provide by default a guarantee by the data importer that no local law will affect his obligations as a data recipient. To this end, the parties must prepare an impact assessment in advance precisely to verify the possible impact of local legislation. In addition, the data importer must immediately notify the data exporter – and, if possible, data subjects – of access requests by local authorities and, for example, also to take appropriate legal action against illegal access requests.

The SCC’s also receive an extensive appendix this time. Concrete additions are expected by the European Commission with minimal technical and organizational measures to protect data during export. These additions will be based on the final advice of the EDPB on exactly those measures that will be published soon and that will be followed up on the Schrems II judgment.  

The modernization of the Standard Contract Clauses is a step forward in terms of smooth data export outside the EEA, but the fear remains that this will not be sufficient in the long term. Most lawyers are anxiously looking forward to another Schrems judgment, which would this time around be directed against the SCC’s instead of the Privacy Shield like last year. After all, the underlying problem remains the same: no contractual or structural agreement can provide certainty about data security outside the EU. Foreign security services have widespread access, legal or otherwise, to European data and recipients outside the EEA can never guarantee that this could be prevented, even with new and stricter SCC’s …

Nevertheless, you should most certainly give priority to the implementation of the new SCC’s as soon as possible once they are final. We have already explained in a number of webinars (of which the recording is available on our YouTube channel) and on our website (with a handy questionnaire that you can send to partners outside the EEA to estimate whether the data you exchange with them is processed safely and correctly).

Questions about international data transfers or about GDPR in general?

We are happy to make time for an online introduction or you can of course always email or call Bart Van den Brande at bart@siriuslegal.be or on +32 492 249 516.

An important principle that companies must take into account when processing personal data is the principle of storage limitation. According to that principle you have the obligation to organise the “data lifecycle” of the personal data that you process and, more specifically, to set and monitor maximum retention periods for those personal data.

It is not always easy to determine exactly how long the personal data can be stored and many companies are struggling with this. How long can you store which personal data? How long is it “necessary” to store personal data? What should you take into account when setting retention periods? Can you always freely determine the storage periods?

In this article, we try to answer these questions on the basis of a practical guide from the French supervisory authority (the Commission Nationale de l’Informatique et des Libertés, or CNIL).

The data lifecycle, what is it?

Almost every company processes personal data. Data is collected, organised and stored, updated and further used, possibly forwarded and eventually deleted. The set of processing operations that personal data undergoes forms the life cycle of personal data.

In its practical guide, the CNIL divides this life cycle into three subsequent phases:

• The current use (“active basis”) of personal data: this stage concerns the current use of personal data by the various departments within the company responsible for processing them. In concrete terms, this means the collection of personal data and their daily use within the company. The personal data are accessible in the immediate working environment for the various stakeholders who have to work with the personal data.
• The interim archiving of personal data: the personal data are no longer actively used to achieve the recorded purposes (“closed files”), but are still of interest to the company because they can be useful later, for example in the context of possible future disputes or to comply with a legal obligation. The personal data may be consulted later than in an ad hoc and reasoned manner by specifically authorised persons.
• The final archiving of personal data: this concerns personal data that are archived without a time limit. It concerns processing carried out for the purpose of archiving in the public interest, scientific or historical research or statistical purposes. The CNIL notes that this last stage is mainly relevant for the public sector. 

The CNIL emphasises the basic principle laid down in article 5 GDPR that personal data must be definitively deleted at the end of the intended processing, in other words: when the purpose for which your data was used has been achieved.

This does not mean that data should be systematically deleted everywhere and in all cases. Personal data can be used for various successive applications (and therefore purposes) and a different retention period may apply for each application and purpose.

For example, it is possible in certain cases to temporarily archive or anonymise personal data. In this respect, permanent anonymisation is on the same footing as deletion, since anonymised data are no longer personal data.

How do you determine appropriate retention periods?

The GDPR does not determine exactly how long personal data may be retained. In other words, the regulation does not provide a list of predetermined retention periods.

However, the CNIL does now provide some useful guidelines:

• Sometimes the law determines how long you may or must retain data (for example, the retention of certain accounting documents).
• There are also sector-specific guidelines from some supervisory authorities, such as the CNIL itself (see for example its “reference frameworks“, such as reference RS-001 “the management of health monitoring”).
• In some cases, references can also be found within the sector, for example in sector codes.

The CNIL offers an evaluation scheme to help companies determine retention periods. That scheme can be found here.

Some concrete examples

• How long can I retain (personal data in) the invoices from my accounts (bookkeeping)? 

Each company has the obligation to keep its accounting documents for 7 years from the first day of the year following the closing of the financial year (Royal Decree of 21 October 2018).

Documents relating to construction and renovation – including invoices and contracts for (the sale of) real estate property, contractors and architects – are even subject to a retention period of 10 years.

This means that the retention period for personal data from accounting documents can be set at a minimum of 7 years, in some cases even 10 years.

• How long should/may I retain (personal data in) a CV or an employment contract?

A large number of social documents are subject to a mandatory retention period of 5 years (Royal Decree of 8 August 1980). The justification for the retention of personal data in these documents is therefore easy to find.

Furthermore, the purpose of processing the concrete personal data is of course important.  

The Dutch supervisory authority, called the Autoriteit Persoonsgegevens, states that it is customary for an organisation to delete application data no later than 4 weeks after the end of the application procedure. However, the candidate may give his/her consent for the personal data to be stored for a longer period of time, for example because a suitable position for the candidate may be available at a later date. A maximum period of 1 year after the end of the application procedure is reasonable in the opinion of the Dutch supervisory authority.

For personal data in an employment contract, it is logical that the data should be kept for the period during which the employment contract is executed. The retention of such data after termination of the employment contract is perfectly possible, for instance on the basis of the above-mentioned mandatory retention period for a number of social documents (depending on the specific case).

• How long can I retain a customer’s contact details? 

Also in this case the purpose of processing the concrete personal data is important.  

When it comes to the data that is needed to execute an ongoing agreement, few questions arise. As long as the contract is in force (or more concretely, as long as certain obligations in the contract are executed or remain relevant – for example, guarantee provisions), personal data can be retained.

If the same personal data is also retained and used for another purpose (in addition to the execution of an agreement), such as for direct marketing purposes, then you can of course retain the data for a certain period after the termination of the agreement. 

Finally, you can find another interesting example in this article “Retention periods under GDPR: Interesting decision by the Austrian supervisory authority“. 

What if the personal data are also processed by your company’s partners (suppliers, subcontractors, etc.)?

Personal data that you, as the data controller, pass on to a data processor remains your responsibility. You must therefore ensure that the personal data is stored correctly and ultimately deleted by your partner (the data processor).

The obligations of the data processor have to be included in a data processing agreement and the data processor has to receive clear instructions, including on how to store the personal data in accordance with the specified retention periods. 

Useful tips on the use of data processing agreement can be found in our article “data processing agreement with your website developer or hosting provider“. 

Would you like to take further concrete steps towards GDPR compliance yourself?

Then be sure to take a look at our GDPR toolkit, which you can find here.

Questions about GDPR and data protection in Belgium or Europe, or more specifically about retention (periods) of personal data?

Feel free to contact us: bart@siriuslegal.be or michiel@siriuslegal.be