Drawing on his profound data protection expertise, he tackles data protection challenges with renewed vigor every single day. He understands the dangers and stumbling blocks in intimate detail and gives customers practical advice.

Like the Safe Harbor agreement in 2015, the European Court of Justice has now also overturned the EU-US Privacy Shield in judgment C-311/18 of 16 July 2020.
The Privacy Shield is an agreement between the EU and the USA and aimed to establish a certain level of protection for personal data that was to be transferred to the USA. Companies could submit to the requirements of the Privacy Shield in order to create an adequate level of data protection in accordance with Art. 45 DSGVO. This legal basis served to allow personal data to be transferred to a third country, in this case the USA.
Companies that have transferred personal data to the US on the basis of the EU-US Privacy Shield can no longer rely on it. As a result, any data transfer is now no longer permitted and can be stopped by the authorities and fined. Another legal basis is therefore urgently needed that allows the transfer of personal data to the USA.
An alternative legal basis is, for example, the creation of "appropriate safeguards" according to Art. 46 DSGVO. These are intended to create a certain level of protection for personal data when it is transferred to a third country. Such safeguards can be, for example, binding internal data protection rules (Binding Corporate Rules, BCR) or the standard data protection clauses issued by the European Commission. The Binding Corporate Rules are interesting for companies that are globally positioned and are intended to make it possible to transfer personal data within the company to third countries with inadequate levels of data protection. However, they must be approved in advance by the supervisory authority. Most relevant here are the standard data protection clauses (or standard contractual clauses), which are concluded as an addendum to the contract between the data transmitter in the EU and the recipient in the third country. This is another contract that is concluded between the parties. This is comparable to a contract for commissioned processing according to Art. 28 DSGVO. With the help of this contract, the respective parties undertake to maintain an appropriate data protection standard for the transfer of data and to grant the data subjects the necessary rights. It should be noted, however, that these clauses may only be deviated from in order to increase the level of protection, but not to disadvantage data subjects.
Unlike, for example, the "grace period" granted with the entry into force of the DSGVO, the ECJ ruling does not provide for a transition period. All data transfers based on the Privacy Shield are currently illegal and another legally secure solution must be created.
If you already have standard contractual clauses in place, this is already a very good start. However, it must be checked on a case-by-case basis whether they are effective.
Add a comment