With the increase of e-commerce and internet landing of many companies that, also due to the Covid pandemic, have transferred several activities on the web, the management and processing of data according to the EU GDPR has returned to the forefront of information requests. Data transfer flows are two-way:
- There are cases of companies based abroad that collect and process sensitive data in the EU, protected by the GDPR.
- And then there are the cases of companies that, instead, collect personal data in Europe, to transfer and manage them abroad.
EU US Privacy Shield GDPR. The agreement that has dispelled the doubts about the owners and managers of personal data and the transfer of personal data collected in the EU
The Privacy Shield GDPR Compliance, the privacy protection mechanism between the EU and the US, is a self-certification mechanism for companies established in the US that wish to receive and manage personal data from the European Union. Let’s take a concrete example: a company based in the USA that owns online software for newsletter services, how does it process and manage personal data collected in Europe and protected by GDPR?
But the cases may be even more obvious. We are thinking of a US company that intends to recruit European staff to carry out some of its activities in the EU and to transfer the sensitive and personal data of its EU employees to the US.
In these cases the benefits of privacy shield comes to the rescue.
This is an agreement to which the US company concerned asks to adhere and which is then included in the Privacy Shield List. The agreement foresees that after a short time the privacy shield certification will be taken, by the US companies that commit themselves to respect the principles of EU Privacy Protection under the GDPR. In addition, they must provide European data owners of personal data that have been transferred to the U.S. with the appropriate protection tools or they will be removed from the Privacy Shield List as a company certified by the U.S. Department of Commerce. The European Commission has considered that the system offers an adequate level of protection for personal data transferred from an individual in the EU to a company established in the US and that, therefore, the Privacy Shield is a source of legal safeguards with regard to such data transfers.
The Privacy Shield is applicable to all categories of personal data transferred from the EU to the U.S., including business information, health or human resources data, provided that the U.S. company receiving such data has self-certified its adherence to the scheme.
The distinction between the roles of individuals identified to protect and manage the personal information
As is well known, the subjects who have ownership of the processing of personal data are:
- The Data Controller: which is “the natural or legal person who determines the purposes and means of the processing of personal data. In essence, the Data Controller is the one who processes the data without receiving instructions from others and who decides why and how the data should be processed. In the case of an online email marketing tool it is the one who opens the account.
- The data subject: who is the natural person to whom the personal data relate. An aside to clarify that the continuous technological evolution of the company makes us all stakeholders in the processing of personal data. Just think about the capillarity of video control systems, fidelity cards, and so on, to understand that in every moment we are potential stakeholders of data processing.
- The data controller or data processor: which is the natural or legal person who processes personal data on behalf of the data controller. In the world of the web these figures are, for example, the internet companies that own the email marketing service tools, as in the case in point, but also web hosting. It should be borne in mind that whoever processes data on behalf of the owner is responsible for the processing, as is the case with web hosting.
As made clear, the data controller is a separate entity from the data controller and may be internal or external to the company. The data controller is responsible for the management. It must choose entities that provide sufficient guarantees in terms of specialist knowledge, reliability and resources to guarantee and implement the safety principle of the GDPR with technical and organizational measures that meet the requirements of the Regulation.
Therefore, the controller shall:
- have qualified expertise;
- ensure particular reliability, for example the absence of criminal convictions;
- have adequate technical resources for the implementation of the obligations arising from the designation contract and the relevant rules. If it is an internal subject within the company the resources will be borne by the owner.
This is why many cloud data management services have been developed – as well as the appointment of the DPO or Data Protection Officer – to make it relatively easy for the data controller to manage personal data collected in the EU and transferred to the USA.
The typology of EU data processed by US companies can be:
- name, email, address or telephone number;
- device information;
- ways of interacting with your email;
- the IP address;
- date and time of connection or opening and clicking on links;
- possibly other data collected by social networks, such as when we log in via Facebook or Google.
Therefore, the Data Controller must comply with European standards and to do so must:
- sign the “Data Processing Agreement”, i.e. the data processing agreement with the data controller;
- activate the GDPR Fields in the service registration form.
Data transfer abroad
Transfer of Data Abroad means the flow or cross-border transfer of personal data to a recipient subject to a foreign jurisdiction.
For the avoidance of misunderstandings and alarms, the simple publication of personal data on a website does not involve transfer abroad.
Only direct communication to specific recipients is covered by the notion of “cross-border data flow” and, therefore, only in this case is data transfer from a country covered by the EU GDPR to a foreign country intended.
In general, the transfer of personal data outside the EEA – European Economic Area – is permitted if the recipient guarantees a level of data protection adequate to the European level.
There are 2 adequacy cases:
The first concerns the transfer of data abroad when the third country guarantees a level of data protection adequate to that of Europe and the GDPR and is included in the Privacy Shield List. In any case, the adequacy is assessed on the basis of the:
- nature of the data;
- purpose of the processing;
- the possibility of such data passing through other countries before reaching their final destination;
- legal provisions, including sectoral ones;
- security measures and Data Breach envisaged.
The second case concerns the transfer of personal data to countries which do not guarantee an adequate level of protection. The example is that of the Data Controller of a company based in Europe, who can enter into a contract with the owner of the company in the third country. Whose clauses in the international contract must be such as to offer an adequate level of protection for the processing of the personal data transferred. In particular as regards a satisfactory level of security and the protection of the rights of the persons concerned, with effective redress mechanisms.
Clearly, the transfer and management of personal data abroad is a complex matter that cannot be solved in these few lines. Also because, since this is an international contractual matter, many rules and standards to be defined for the different fields of action come into play:
- contractual clauses between the data controller, the controller, the recipient;
- binding rules and effective rights;
- code of conduct;
- certification mechanism.
This is why in such cases the intervention of a lawyer expert in the international processing and management of sensitive and personal data is mandatory.
Ed that’s why we recommend the legal advice of the team of lawyers experienced in the management of Privacy under the GDPR EU of the International Law Firm Damiani&Damiani.
Fill out the form and submit your case