Take the ISO 27001 course exam and get the
EU GDPR course exam for free
LIMITED-TIME OFFER – ENDS SEPTEMBER 29, 2022

Expert Advice Community

GDPR Query

  Quote
mark950 Created:   Jun 07, 2022 Last commented:   Jun 09, 2022

GDPR Query

We are onboarding a new third party vendor tool which will store our EU customer's data in AWS US. The Vendor is refusing to sign DPA and SCCs with justification as the contract value is very less vendor's legal team won't sign the document. What should we do in this scenario?
0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Tudor Galos Jun 09, 2022

If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).

In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.

Please consult these links as well:

Tudor Galos
Quote
0 1

Comment as guest or Sign in

HTML tags are not allowed

Jun 07, 2022

Jun 09, 2022