Track record of implementing complex privacy regulations across industries.
What Is Schrems II?
On July 16, 2020, the Court of Justice of the European Union (CJEU) concluded in its Schrems II decision that the EU-U.S. Privacy Shield Framework (Privacy Shield) was no longer a valid mechanism for transferring personal data from the European Economic Area (EEA) to the United States. The Court also tightened the rules for organizations that rely on Standard Contractual Clauses (SCCs) for international data transfers.
The introduction of the DPF makes it significantly easier to transfer personal data from the EEA to the U.S. However, organizations that still rely on SCCs must ensure that their data flows comply with the required privacy and security measures brought about by the Schrems II judgment. Non-compliance can attract fines of up to 4% of annual revenue or 20 million euros, whichever is higher.
International Data Transfer Strategic Planning
Key activities include:
- Scoping of Data Transfers from the EEA
VeraSafe guides you through a discovery exercise, to identify and document the categories and sources of personal data that your organization exports or receives from the EEA.
- Identify Realistic Alternative Data Transfer Mechanisms
Depending on your organization’s circumstances, various different GDPR-compliant data export mechanisms may be a useful alternative if you need to transfer personal data to a U.S. organization that has not certified under the DPF. Your VeraSafe privacy law and cybersecurity professionals will consider all available options and will recommend the best solution for your needs.
- Confirm Compliance with “Appropriate Safeguards”
If the EU Standard Contractual Clauses (SCCs) will be used as part of your organization’s data transfer strategy, VeraSafe will:
- Analyze your organization’s data transfers and data processing practices to confirm that you meet all requirements of the SCCs.
- Draft a memorandum documenting and analyzing your organization’s legal exposure to government surveillance and confirming whether your organization offers an “adequate level of protection” as required by the SCCs.
- Ensure that the new 2021 SCCs adopted by the European Commission are in effect between your organization and all clients or customers that may be exporting regulated personal data to you.
- Analyze and recommend additional data protection controls to help ensure compliance with the SCCs and Schrems II.
- Identify any data transfers to the United States and other countries that might require you to meet more stringent requirements in light of Schrems II.
- Update Privacy Notices and Contracts
Your privacy notices and contracts must meet international data transfer requirements. We will support you through the process to ensure that your documentation is compliant.
- Managing Vendor Relationships
VeraSafe will assist you in ensuring that all contracts with vendors processing personal data received from the EEA include the security and confidentiality obligations required under the SCCs and incorporate the latest guidance from the European DPAs. This includes reviewing, negotiating, and updating existing agreements with vendors, analyzing vendor exposure to applicable state surveillance laws, and keeping vendors informed of and compliant with all data transfer requirements, especially relating transfers to subcontractors and other onward transfers. VeraSafe will help your organization establish or revise your standard operating procedures for managing vendor relationships in light of Schrems II.
- Managing Intra-Group Data Sharing
If applicable, intra-group data sharing agreements and intra-group data flows will be reviewed and analyzed to confirm that adequate data protection controls are in place and that intra-group data transfers are lawful and compliant with Schrems II.