Cupertino, July 30, 2020 – The judgment of the European Court of Justice has been delivered: The EU-US Privacy Shield, which had legitimized the exchange of personal data between the EU and the US, was declared invalid. The ECJ determined that the level of data protection required by European standards was not guaranteed.
“In concrete terms, the failure of the Privacy Shield means that a legal basis for the transfer of data from the EU to the US has been removed,” says Jens Bothe, security expert at OTRS Group. “Therefore, US companies should examine the legal basis on which their data is transferred in order to act in accordance with the GDPR, avoid possible fines, and maintain relationships with EU businesses.”
OTRS Group gives four tips to support US service providers as they seek to continue working with EU citizen data:
1) Check the legal basis for data transfer between countries
- US service providers must enter into EU-standard contractual clauses in order to have a legal basis for data transfer. This is already the case, for example, if a company uses communication systems whose provider has its headquarters in the USA.
- If personal data are involved, the contract authority must also complete a GCU (contract processing agreement). This is a central component of the GDPR and regulates the rights and obligations of the contract authority and contractor.
2) Implement technical and organizational measures
Furthermore, TOMs (Technical Organizational Measures) must exist between the two companies and must be checked again and again in order to guarantee safety. On the technical side, these include measures such as securing user accounts, password enforcement or user identification. On the organizational side, it specifies protections which can be implemented by instruction, such as visitor registration or implementation of the dual control principle.
3) Pay attention to where the data is located
Whenever possible, US service providers should use European data centers to host their data. If this is possible, data transfer to the USA may not be necessary at all.
4) Create uniform compliance rules
All companies should have clear compliance rules and sensitize their employees to them time and again. Employees should be aware that they are not allowed to download and use all systems from their company computers; they should only use those that comply with compliance rules.
For more information on how OTRS can structure enterprise security, click here.
About OTRS AG
OTRS Group is the manufacturer and the world’s largest provider of the service management suite OTRS, awarded with the SERVIEW CERTIFIED TOOL seal of approval.
It offers flexible solutions for process and communication management to companies of all sizes, saving them time and money. Among its customers are Lufthansa, Airbus, IBM, Porsche, Siemens, BSI (Federal Office for Security in Information Technology), Max Planck Institute, Toyota, Hapag Lloyd and Banco do Brazil (Bank of Brazil). OTRS is available in 40 languages. The company consists of OTRS AG and its six subsidiaries OTRS Inc. (USA), OTRS S.A. de C.V. (Mexico), OTRS Asia Pte. Ltd. (Singapore), OTRS Asia Ltd. (Hong Kong), OTRS do Brasil Soluções Ltda. (Brazil) and OTRS Magyarország Kft. (Hungary). OTRS AG is listed on the basic board of the Frankfurt Stock Exchange. For more information, see www.otrs.com.