Document Summary

Privacy Shield Invalidation (Schrems II)

Download PDF
Our approach to security and privacyOur approach to security and privacy
Back to Trust Center

Privacy Shield Invalidation and Secure Code Warriors Practices

What is Schrems II?

On the 16th of July 2020, the Court of Justice of the European Union (“CJEU”) issued their decision in case C-311/18, also known as Schrems II. The CJEU’s decision confirmed the validity of the European Commission Controller-Processor Standard Contractual Clauses (“SCCs”) while invalidating the EU-US Privacy Shield Framework as a mechanism to transfer personal data from the EU to the US. The decision requires organizations engaged in transfers of personal data to a third country to carry out an assessment prior to making a transfer under the SCCs to ensure that data subjects are afforded a level of protection “essentially equivalent” to that guaranteed within the European Union (“EU”) by the GDPR. If this level of protection cannot be achieved through reliance on the SCCs alone, then the exporting organization must implement "supplementary measures" to protect the exported personal data to an "essentially equivalent" standard.

Secure Code Warriors position on Schrems II

At Secure Code Warrior, privacy protections have been a fundamental component of our services since day one. Our commitment to protecting our customers’ data is not limited by a geographical border or region, and extends to ensure we keep pace with global privacy standards.

With regards to the ruling by the Court of Justice of the European Union (CJEU) as a result of what has become known as the “Schrems II” case, Secure Code Warrior has taken the following preliminary steps;

  • Updated our Data Processing Addendum to include (where relevant) Standard Contractual Clauses (SCCs) with our data processors
  • Communicated with our European based GDPR consultants to ensure we address the revised requirements.
  • Undertaking a review of all data flows, including our records of processing activities as per the GDPR Article 30
  • Undertaking a dedicated risk assessment on the CJEU ruling, and its implications for us as a company and on the data processors we use. 
  • Conduct a privacy/data protection due diligence and risk assessment for all international transfers, including:
  • validating that each data processor is compliant with the GDPR and 
  • maintains strong security to supplement the requirements under GDPR
  • Assessing all relevant GDPR, privacy and security documentation, to ensure we get fully aligned with the requirements under GDPR and Schrems II

We will continue to closely follow the European Data Protection Board (EDPB) and the ICO’s (the UK’s data protection authority) recommendations going forward.

Supplementary Measures

Regarding the adoption of Supplementary Measures, and advice from the European Data Protection Board (EDPB), Secure Code Warrior is continuing to review our Technical, Organisational and Contractual measures. 

At a glance, here is how Secure Code Warrior is addressing these issues. 

1. Technical Measures;

  • We have adopted encryption algorithms to help secure data transfers. Secure Code Warrior has partnered with our Cloud providers (AWS) and (MongoDB) to ensure customer data is encrypted at rest and in transit and all encryption keys are safely stored. Furthermore, we are exploring options to provide our customers (at a cost to the customer) additional measures around encryption such as implementing "customer key management" or a "cloud-based hardware security module (HSM)" that enables the customer or SCW (on behalf of the customer) to easily generate and manage encryption keys.

2. Contractual Measures:  

We are working with our sub-processors to evaluate compliance with the SCCs and adding into Data Processing Agreements (where applicable) to notify Secure Code Warrior as the data controller, in the event a subprocessor is unable to comply with contractual commitments.

3. Organisational Measures: 

We are working with our sub-processors to enhance the standard of protection for personal data. These include, data security certification, the implementation of comprehensive data protection notices, regular review of internal policies, and effective staff training.

Looking for something else?

Our approach to security and privacy

Visit our Trust Center to learn more about the security and privacy practices that safeguard our information assets, and those of our customers, against misuse, abuse or compromise.

Trust Center