On 16 July 2020, the European Court of Justice declared the EU-US Privacy Shield to be ineffective and thus issued a landmark decision for all businesses whose product or customer business involves data exchange with the United States.
What does this decision mean for businesses?
It is now no longer permitted for Controllers within the scope of the GDPR to transfer personal data to the US without so-called Standard Contractual Clauses being in place. Previously, this was permissible with data recipients certified under Privacy Shield. The conclusion of these Standard Contractual Clauses was then unnecessary.
Are the current EU Standard Contractual Clauses still effective?
The Standard Contractual Clauses (SCCs) are still effective, however, there may be a need for adjustments (so-called SCCs+) and/or a tightening of the technical and organisational measures (TOMs+) of the Controller.
What are the risks for businesses that do not act?
If the authorities were to detect a violation of the GDPR after an inspection, this could lead to decrees by the authorities (e.g. "Stop data transfer immediately") or even to the known fines of the GDPR.
As a reminder: fines of up to EUR 20,000,000 or up to 4% of the total annual worldwide turnover in the preceding business year, whichever is greater, may be imposed.
CLARIUS.LEGAL has developed a roadmap to help you adjust your internal processes efficiently, to identify risks in existing contracts and to implement them in practice.
CLARIUS.LEGAL specialises in process establishment and adaptation in accordance with data protection law. Among other services, we will provide you with audit questionnaires for your US clients, business partners or service providers, which will facilitate your own audit. CLARIUS.LEGAL then evaluates the answers for you and, in consultation with you, determines the concrete need and effort for action.
We will support the entire implementation process and work with you to implement business-oriented solutions.
Because the ECJ (European Court of Justice) has not set a grace period and the EDSA (European Data Protection Committee) has also announced that it will not grant one, businesses must now act quickly. We help with our efficient working method and start the implementation with a systematic initial analysis of the data protection situation in your business.
The most urgent to-dos will be the adaptation of existing contracts and TOMs (technical and organisational measures), among others:
Initial audit of the data protection situation
Review of contracts and data protection documents
Adjustment of existing TOMs
Compliance with data protection regulations