Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
If your vendor is a Data Processor and you are a Data Controller, you are accountable for how personal data is being processed. Storage of personal data in the US is considered to be a personal data transfer, and it must use a transfer mechanism as they are defined in Chapter V GDPR - Transfers of personal data to third countries or international organizations. Since we are talking about a transfer to the US, not only the vendor needs to sign an SCC or a DPA (only if the vendor is subject to GDPR, according to Art 3 GDPR – Territorial Scope, but even then an SCC must be signed between the vendor and Amazon US), it also needs to make sure that personal data is protected from access by US authorities using FISA (Foreign Intelligence Surveillance Act ) 702 legislation (a statute that authorizes the collection, use, and dissemination of electronic communications content stored by U.S. electronic service providers), using additional technical and organizational measures such as BYOK (Bring Your Own Key - encrypted content on US servers, the key stored on EU servers).
In conclusion, if the vendor refuses to take the necessary technical and organizational measures to demonstrate GDPR compliance (including the signing of DPA/SCC and additional technical/organizational measures), as a Data Controller you should change the vendor.
Please consult these links as well:
- Article 3 GDPR – Territorial Scope: https://advisera.com/eugdpracademy/gdpr/territorial-scope/
- Article 28 GDPR – Processor: https://advisera.com/eugdpracademy/gdpr/processor/
- Chapter V GDPR - Transfers of personal data to third countries or international organisations: https://advisera.com/eugdpracademy/gdpr-text/transfers-of-personal-data-to-third-countries-or-international-organisations/
- EDPB’s Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data: https://edpb.europa.eu/sites/default/files/consultation/edpb_recommendations_202001_supplementarymeasurestransferstools_en.pdf
Comment as guest or Sign in
Jun 09, 2022