Expert Advice Community

Guest

What should I do to be compliant?

  Quote
Guest
Guest user Created:   Aug 27, 2020 Last commented:   Aug 28, 2020

What should I do to be compliant?

I haven’t contacted you for a long time. I’m very happy to complete the basic framework of the company’s GPDR in 2019 with your help, but now there is a problem, as you know, that is: "On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission's Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-US Privacy Shield”.

Our current situation is:

We are always certified under EU-US privacy shield so we declare on our website that it complies with GDPR, but it is invalid now..In this case, what should I do to be compliant, in addition, we have no office in EU, just between China and USA we use standard clauses to do transfer between China and USA .

0 0

Assign topic to the user

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

EU GDPR DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Alessandra Nisticò Aug 28, 2020

As you said, the Shrems II decision invalidated the EU-US Privacy Shield, therefore you need to consider using another legal ground to allow personal data transfers among the US and the EU (i.e. the Standard Contractual Clauses (SCC) or the Binding Corporate Rules (BCR)).

The European Data Protection Board (EDPB) recently published a FAQ sheet on the implication of the Shrems II decision that you can find here: https://edpb.europa.eu/news/news/2020/european-data-protection-board-publishes-faq-document-cjeu-judgment-c-31118-schrems_en

One of the suggestions made by EDPB is to consider avoiding storing personal data in the US and prefer Cloud Service Providers with servers based in the EU in order to be compliant with GDPR requirements. Please note that the decision applies to the transfer of personal data, not to all data transfers. 

You might be also required to appoint an EU representative for GDPR compliance. It is a simple procedure with a service agreement, and you can appoint a company, a legal or another individual which can be contacted by the Data Protection Authorities in case of needs.

Here you can find more information:

You can consider enrolling in our free EU GDPR Foundations Course

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Aug 27, 2020

Aug 28, 2020