Track record of implementing complex privacy regulations across industries.
What Is Schrems II
On July 16, 2020, the ECJ concluded in its Schrems II decision that the EU-U.S. Privacy Shield Framework (“Privacy Shield”) was no longer a valid mechanism for transferring personal data from the European Economic Area (“EEA”) to the United States. With no grace period to allow companies to adapt, the Schrems II judgment obligates organizations previously depending on the Privacy Shield Framework to immediately identify an alternative solution to continue their data transfers from the EEA to the United States.
The Court also tightened the rules for organizations that rely on Standard Contractual Clauses (“SCCs”) for international data transfers. Organizations using SCCs must examine their data flows and determine if new privacy and security measures now need to be implemented. The European Data Protection Authorities have urged organizations to reassess their transfers of personal data outside the EEA in light of the Schrems II judgment. Non-compliance can attract fines of up to 4% of annual revenue or 20 million euros, whichever is higher.
VeraSafe Will Strategize a Cost-Effective, Schrems II Compliance Plan for Your Organization That Will Enable You to Continue Necessary Data Transfers.
Key activities include:
- Initial Scoping of Data Transfers from the EEA
VeraSafe guides you through a discovery exercise, to identify and document the categories and sources of personal data that your organization exports or receives from the EEA.
- Identify Realistic Alternative Data Transfer Mechanisms
Depending on your organization’s circumstances, various different GDPR-compliant data export mechanisms may be a useful alternative to the Privacy Shield Framework. Your VeraSafe advisors will consider all available options and will recommend the best solution for your needs.
- Confirm Compliance with “Appropriate Safeguards”
If the EU Standard Contractual Clauses (“SCCs”) are to be used as part of your organization’s new data transfer strategy, VeraSafe will:
- Analyze your organization’s current data transfers and data processing practices to confirm that you meet all requirements of the SCCs.
- Draft a memorandum documenting and analyzing your organization’s legal exposure to state surveillance and confirming whether your organization offers an “adequate level of protection” as required by the SCCs.
- Ensure that SCCs are in effect between your organization and all clients or customers that may be exporting regulated personal data to you.
- Analyze and recommend additional data protection controls to help ensure compliance with the SCCs and Schrems II.
- Identify any data transfers from EEA member states or regions which have more stringently/expressly restricted transfers of personal data to the United States in light of Schrems II.
VeraSafe will draft written material that your organization can provide to interested third parties (e.g., your clients) describing the Schrems II decision and the efforts your organization is taking to ensure compliance with the new EU data transfer rules.
- Update Privacy Shield Disclosures
VeraSafe will update your organization’s privacy notice and will ensure that your agreements with clients and customers are revised, as needed, to introduce alternate data transfer solutions.
- Managing Intra-Group Data Sharing
VeraSafe will assist you in ensuring that all contracts with vendors processing personal data received from the EEA include the security and confidentiality obligations required under the SCCs and incorporate the latest guidance from the European DPAs. This includes reviewing, negotiating, and updating existing agreements with vendors, analyzing vendor exposure to applicable state surveillance laws, and keeping vendors informed of and compliant with all data transfer requirements, especially relating transfers to subcontractors and other onward transfers. VeraSafe will help your organization establish or revise your standard operating procedures for managing vendor relationships in light of Schrems II.
- Managing Vendor Relationships
If applicable, intra-group data sharing agreements and intra-group data flows will be reviewed and analyzed to confirm that adequate data protection controls are in place and that intra-group data transfers are lawful and compliant with Schrems II.