On the 16th of July 2020, the Court of Justice of the European Union (“CJEU”) issued their decision in case C-311/18, also known as Schrems II. The CJEU’s decision confirmed the validity of the European Commission Controller-Processor Standard Contractual Clauses (“SCCs”) while invalidating the EU-US Privacy Shield Framework as a mechanism to transfer personal data from the EU to the US. The decision requires organizations engaged in transfers of personal data to a third country to carry out an assessment prior to making a transfer under the SCCs to ensure that data subjects are afforded a level of protection “essentially equivalent” to that guaranteed within the European Union (“EU”) by the GDPR. If this level of protection cannot be achieved through reliance on the SCCs alone, then the exporting organization must implement "supplementary measures" to protect the exported personal data to an "essentially equivalent" standard.
At Secure Code Warrior, privacy protections have been a fundamental component of our services since day one. Our commitment to protecting our customers’ data is not limited by a geographical border or region, and extends to ensure we keep pace with global privacy standards.
With regards to the ruling by the Court of Justice of the European Union (CJEU) as a result of what has become known as the “Schrems II” case, Secure Code Warrior has taken the following preliminary steps;
We will continue to closely follow the European Data Protection Board (EDPB) and the ICO’s (the UK’s data protection authority) recommendations going forward.
Regarding the adoption of Supplementary Measures, and advice from the European Data Protection Board (EDPB), Secure Code Warrior is continuing to review our Technical, Organisational and Contractual measures.
At a glance, here is how Secure Code Warrior is addressing these issues.
1. Technical Measures;
2. Contractual Measures:
We are working with our sub-processors to evaluate compliance with the SCCs and adding into Data Processing Agreements (where applicable) to notify Secure Code Warrior as the data controller, in the event a subprocessor is unable to comply with contractual commitments.
3. Organisational Measures:
We are working with our sub-processors to enhance the standard of protection for personal data. These include, data security certification, the implementation of comprehensive data protection notices, regular review of internal policies, and effective staff training.