Since the Schrems II ruling, it has become more complex for companies to make use of software tools or partners when processing personal data. Especially if those tools or partners are not located within the EU or can guarantee that your data stays within the EU.
Data export is subject to strict rules. The EU provides “Standard Contract Clauses” that in most cases have to be included in agreements and you, as a company, have to perform a risk assessment on top of each data export, so that you can guarantee the necessary technical or organizational security.
Data export is any exchange of data with a partner outside the EU. This could be a hosting provider from whom you rent server space, an offshore call center or customer service, a developer or online marketing agency outside Europe, an e-mail service provider or just about any online service or tool you can think of. GDPR allows data exports to countries outside the EU only if the recipient can guarantee an appropriate level of protection.
A handful of countries are expected to provide an appropriate level of protection anyway, but for most other countries, since the demise of the EU-US Privacy Shield, you need a Data Export Agreement, in which that protection guarantee is written down. In that Data Export Agreement, in most cases you also need to include the European Commission’s Standard Contract Clauses or SCCs. In addition, you must conduct a risk audit and provide “appropriate additional safeguards” to ensure the security of your data outside Europe.
At Sirius Legal, data export audits are an integral part of our GDPR services. Not only multinationals but also Belgian SMEs rely on us to map their data export, whether or not as part of a broader GDPR compliance exercise.
In such a risk audit, we map out together where your data is going, who your partners are and where they are located. We also map who their partners, defined by the GDPR as ‘sub-processors’, are. Then we examine whether or not all those partners export your data outside the EU and whether or not they provide the necessary contractual safeguards in doing so. We evaluate with you whether there is a particular sensitivity associated with your data or your context that makes it necessary for us to build in additional safeguards as well.
We process everything for you in a clear report and discuss its implications with you. If necessary, we also consult with your partners. Our lawyers are trained in negotiations and commercial discussions and protect your legal interests with the greatest respect for your commercial relationships.
For example, we recently advised the European division of an Asian car brand in a data export risk analysis. We compared different potential suppliers on GDPR compliance and data export compliance, drafted the requirements for the award of the project together with the client, and negotiated the details with the selected supplier.
GDPR compliance is a big milestone in privacy legislation. Don’t be discouraged, we are happy to assist you with to-the-point advice that doesn’t have to be expensive at all.
Properly handling personal data is more than complying with the GDPR legislation. There is also specific legislation such as the cookie law, the do-not-call-me register, the Robinson list, etc.
Data capture on your website with which you are legally fully compliant. Not because you have to, but also out of respect for your customers’ privacy, right?
