Recently we celebrated the anniversary of the GDPR coming into force (May 25th), and we would like to remind you of key issues for those transferring data overseas. The General Data Protection Regulation (GDPR) divides the world into two parts:
a) The European Economic Area (EEA), where there are no particular barriers to the processing of personal data
b) countries outside the EEA. Data flows outside the EEA (including cloud services, shared access to databases, etc.) are strictly regulated and subject to particular safeguarding mechanisms.
In our digital world, companies often have suppliers across the globe or are part of a larger group. In these cases, to successfully operate globally, they must manage their human resources and clients data effectively. For example, shared internal databases are one of the tools that help companies to do this. However, this means transferring personal data.
The data protection landscape is constantly changing, and some changes that have taken place, such as Brexit, or the European Court of Justice’s Schrems II judgment annulling the Privacy Shield mechanism, used for data transfers to the USA, affect transfers of personal data to countries outside the EEA.
Taking this into account, we have prepared a brief to-do list to make sure your company is GDPR compliant. It is necessary:
1) to evaluate your data flows, carefully considering all cooperation partners (IT, cloud services) to understand whether it is possible to continue cooperation and what steps must be taken
2) to assess the need for appropriate security mechanisms for transferring data to countries outside the EEA
3) to review and, if necessary, amend agreements with cooperation partners (the standard condition is that data may not be transferred outside the EEA)
4) to review privacy policies, which often provide that data is not transferred outside the EEA or reference Privacy Shield mechanisms