EU-US Privacy Shield stopped: OTRS AG gives security tips to aid US businesses in complying with data transfer requirements

Cupertino, July 30, 2020 – The EU-US Privacy Shield, which had legitimized the exchange of personal data between the EU and the US, was declared invalid.

Cupertino, July 30, 2020 – The judgment of the European Court of Justice has been delivered: The EU-US Privacy Shield, which had legitimized the exchange of personal data between the EU and the US, was declared invalid. The ECJ determined that the level of data protection required by European standards was not guaranteed.

“In concrete terms, the failure of the Privacy Shield means that a legal basis for the transfer of data from the EU to the US has been removed,” says Jens Bothe, security expert at OTRS Group. “Therefore, US companies should examine the legal basis on which their data is transferred in order to act in accordance with the GDPR, avoid possible fines, and maintain relationships with EU businesses.”

OTRS Group gives four tips to support US service providers as they seek to continue working with EU citizen data:

1) Check the legal basis for data transfer between countries

  • US service providers must enter into EU-standard contractual clauses in order to have a legal basis for data transfer. This is already the case, for example, if a company uses communication systems whose provider has its headquarters in the USA.
  • If personal data are involved, the contract authority must also complete a GCU (contract processing agreement). This is a central component of the GDPR and regulates the rights and obligations of the contract authority and contractor.

2) Implement technical and organizational measures

Furthermore, TOMs (Technical Organizational Measures) must exist between the two companies and must be checked again and again in order to guarantee safety. On the technical side, these include measures such as securing user accounts, password enforcement or user identification. On the organizational side, it specifies protections which can be implemented by instruction, such as visitor registration or implementation of the dual control principle.

3) Pay attention to where the data is located

Whenever possible, US service providers should use European data centers to host their data. If this is possible, data transfer to the USA may not be necessary at all.

4) Create uniform compliance rules

All companies should have clear compliance rules and sensitize their employees to them time and again. Employees should be aware that they are not allowed to download and use all systems from their company computers; they should only use those that comply with compliance rules.

For more information on how OTRS can structure enterprise security, click here.


OTRS Group is the manufacturer and the world’s largest provider of the service management suite OTRS, awarded with the SERVIEW CERTIFIED TOOL seal of approval.

It offers flexible solutions for process and communication management to companies of all sizes, saving them time and money. Among its customers are Lufthansa, Airbus, IBM, Porsche, Siemens, BSI (Federal Office for Security in Information Technology), Max Planck Institute, Toyota, Hapag Lloyd and Banco do Brazil (Bank of Brazil). OTRS is available in 40 languages. The company consists of OTRS AG and its six subsidiaries OTRS Inc. (USA), OTRS S.A. de C.V. (Mexico), OTRS Asia Pte. Ltd. (Singapore), OTRS Asia Ltd. (Hong Kong), OTRS do Brasil Soluções Ltda. (Brazil) and OTRS Magyarország Kft. (Hungary). OTRS AG is listed on the basic board of the Frankfurt Stock Exchange. For more information, see

Press Contact OTRS:
Address OTRS AG
Zimmermühlenweg 11
61440 Oberursel
Name Christina Meyer
Phone +49 6172 681988-0

Share the Article