I am the sole privacy employee for our multinational company. We don’t use Privacy Shield for data transfers, we have SCC’s in place and I am completing a data mapping exercise. I suspect our cloud based providers like AWS may store data in the US. Virtually all our client & employee data would be visible and processed to some extent in the US.
I am worried about the lack of concern from other areas of the business like IT, IS. Who do i need to get engaged and how best can i do this?
How and who to engage to get traction for Schremes II
Share
Elisavet D.
Hi! Compliance with Shcrems II can be challenging 🙂 The first thing to do is map your processors and the subprocessors. Carry out a data transfer mapping. Have in mind that you need to capture US (sub)processors that fall under the scope of US surveillance laws, even if a transfer of personal data doesn’t occur (e.g. you use AWS but selected region is in the EEA-there is no data transfer per se, but US authorities can still access the data due to the extraterritorial scope of US surveillance laws). After you do that, since we know that US is not an adequate country, you need to consider if the application of additional technical, organisational or contractual measures will ensure an effective protection.
Elisavet D.
You can read the EDPB’s Guidelines on the topic for more info: https://edpb.europa.eu/our-work-tools/public-consultations-art-704/2020/recommendations-012020-measures-supplement-transfer_en