On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its judgement in what has become known as the Schrems II case. The CJEU was asked to review the validity of the Privacy Shield and Standard Contractual Clauses (SCCs) as approved mechanisms to protect the transfer of personal data from the EU under the General Data Protection Regulation (GDPR).
The decision of the CJEU was to invalidate the EU-US Privacy Shield Framework as a transfer mechanism for exports of personal data to the US. The SCCs remain valid, in principle, as a mechanism to transfer personal data outside the EU/UK, but the CJEU judgement adds an element of due diligence for the organizations that use these agreements and allows local Data Protection Authorities (DPAs) within Europe to prohibit or restrict transfers made under the SCCs if they believe the agreement won’t be complied with and the personal data won’t be adequately protected.
As we state in our privacy notices, we do transfer data including personal information that has been collected by our clients in our hosted systems to data centers and service providers in the US. Full details of the service providers we use are available on our vendor management page. We also use cloud-based software solutions in the US for customer relationship management, support and incident management, and marketing communications.
We have already completed a review to identify vendors where we relied on the Privacy Shield Framework to protect the personal data we transfer outside the EU and can confirm that we have SCCs in place with all the service providers for our hosted systems. We are currently working to put in place SCCs with any remaining Privacy Shield vendors who provide us with software solutions for our internal operations.
We are reviewing what further due diligence is required in order to ensure that our use of the SCCs is appropriate and that we are confident that it is possible for the provider to meet their requirements in the agreement. We continue to monitor the decisions of DPAs in all the European territories where our offices and customers are based.