In this way, the legislator hopes to achieve better compliance with the legal regulations. Since the GDPR imposes new formal obligations on the data processors, existing contract documents must be adapted. Companies that have their data stored or processed by service providers should therefore be prepared to be confronted with new contracts . The first draft contracts are currently being drawn up by the data protection associations. A major advantage is that from May 2018, contracts can expressly be concluded electronically. The previously strict written form requirement (handwritten signature) is therefore no longer applicable .
The instrument of order processing will remain uae number dataset largely intact. However, due to individual changes, existing contractual relationships must be reviewed and adjusted if necessary by the deadline. Negligence will be subject to much higher penalties in the future.
Companies should therefore start reviewing their service provider contracts at an early stage. In addition to traditional letter shops, this also includes all cloud applications that store or process personal data on behalf of others. If you use a service provider or agency to send newsletters, this contractual relationship is also affected.
What to consider when using US services
Whether Google Drive, Dropbox or Slack - young companies in the digital sector in particular are increasingly relying on external service providers and are not giving much thought to the data protection this affects. Due to the dominance of US companies, sensitive customer data is quickly processed outside the EU. The requirements that must be observed here are also regulated in the GDPR.
requirements of international data exchangeIf a company intends to transfer personal data to recipients abroad, a distinction must be made:
When data is transferred between EU member states or EEA member states, only the general justifications apply.
In the case of data transfer to third countries (e.g. the USA), additional requirements apply. However, the provisions of the EU General Data Protection Regulation do not differ significantly from the previous legal situation.
In the case of data transfer to third countries, a two-stage check must be carried out. First, as with data transfers within the country or other EU countries, a justification under the GDPR must apply (such as the consent of the data subject, the company's overriding legitimate interest or an agreement to process the data). If this is the case, a second step must be taken to determine whether the third country or at least the specific recipient has an adequate level of data protection . This second step is often ignored, which can lead to the data processing being generally inadmissible.
The GDPR provides a number of different instruments for determining adequacy. For data transfer to the USA, EU standard contractual clauses and certifications such as the “Privacy Shield” can still be relied upon. The European legislator is therefore still striving to enable international data transfer. However, these instruments also involve a risk . The “Privacy Shield” in particular has come under criticism, which means that the agreement could be overturned in the near future by either the ECJ or the EU Parliament. Protection by means of EU standard contractual clauses has not yet been confirmed by the ECJ either. If you look at the ruling on “Safe Harbor”, it cannot be ruled out that the EU standard contractual clauses will not withstand European data protection laws either.
Conclusion:
It can be seen that international data transfer is still possible under the new regulations, but due to the constantly changing political situation, it also involves a risk. The use of US services is also only permitted if the basic regulations on data processing in connection with the Privacy Shield and/or EU standard contractual clauses are fully complied with. Negligence can quickly threaten one's existence.
In future, unlawful transfers to third countries will be subject to fines of EUR 20 million or up to 4% of the company's total worldwide turnover for the previous year.