Information technology contracts and data security news – BollyInside

Peter Nordbeck, Lawyer, Law Firm Delphi.
In the ruling, the European Court of Justice rescinded the privacy shield as a mechanism for transferring personal data to the United States, but ruled that standard terms of the contract could still be applied. However, the person responsible for personal data must examine whether the law in the recipient’s country ensures adequate security of personal data prior to outsourcing.

In early June this year, the final version of the EDPB’s recommendations for transferring personal data to countries outside the EUP / EEA was released. The final version of the European Commission’s standard contract terms came before mid-summer. In addition, in a decision on June 28, the European Commission allowed the transfer of personal data to the United Kingdom.

In the fall of 2020, the European Data Protection Board (EDPB) issued the first edition of recommendations regarding the transfer of personal data to countries outside the EU / EEA. The European Commission has developed proposals for new fixed-term terms to change the terms of the GDPR and take into account the Shrews II ruling.

Below I will comment on the impact they have on the outsourcing of these news and IT services.

In my opinion, the new status is a relief in the possibility of transferring personal data to countries outside the EU / EEA in the event of an outsourcing event. Before I comment in more detail, let me first review what the recommendations mean.

Recommendations of the EDPB regarding the transfer of personal data to countries outside the EU / EEA
The first version of the recommendations was criticized during public consultation as being too strict and impractical. ETPP took into account the views, especially on the question of how the law should be assessed in practice in the recipient’s country.

See also  Will COVID-19 Drive Up Payroll Taxes to Save Social Security? - Nasdaq

Among the recommendations “Road map“Information on what companies, officials and other entities must comply with before a third country transfer (and in relation to current transfers) and what additional protections may be required for a third country transfer in accordance with GDPR.

Various steps to be followed by companies in Third Country Exchange:

Identify which personal data exchanges take place to third countries.
Identify the transfer mechanism in Chapter V of the GDPR (e.g. standard contract clauses),
Investigate whether law or practice in a third country controls the effectiveness of the transfer mechanism;
Identify and take additional safety measures if necessary,
Take the necessary practical steps for the application of additional safety measures;
Evaluate the level of security of personal data transferred to a third country at appropriate intervals and monitor whether there are any changes that could affect the level of security.
Examples of additional security measures according to point 4 are the encryption of personal data, for example, the storage of service data provided by a cloud service provider. Another security measure highlighted is the nickname of personal data, which means that personal data is not displayed in clear text, but additional data is required to identify the individual. The most important change in the final recommendations is the evaluation of the law and the view of how the law should be applied in the recipient country. It is no longer “black or white” in the way it feels in the previous version of the recommendations.

Focuses on how law and practice in the recipient’s country affects the current transfer of personal data In practice. For example, Section 702 of the U.S. FISA Act explicitly states in the examples given in the recommendations that the United States may be allowed to transfer personal data if it does not apply to the transfer in question in practice. Transfer mechanism (e.g. standard contract clauses). It is emphasized, however, that the study of law and practice in the third country to be carried out must be complete.

See also  H-1B: S.F. tech firm sues feds over denied visa for Indian man with U.S. master’s degree - The Mercury News

Key factors of the study: Whether the data sent in the law and / or practice of the recipient country and / or applicable to the recipient;
Experience and / or related data transfer experience from outsourcing provider and other related providers in the relevant field;
Whether the authorities of the recipient’s country have requested access to data such as that of the hijacker;
Whether access to the outsourcing provider was allowed or denied if there was an official request.
It is emphasized that evaluation-based information should be relevant, objective, reliable, verifiable, and publicly available.

As can be seen, extensive work needs to be done to document how laws and practices in the recipient’s country affect the transfer of personal data when outsourced. It is appropriate for the outsourcing provider – who has the closest access to information – to participate in the investigation. To get the assessment right, it is best to approach a lawyer who specializes in the law of the recipient’s country. The softening done by EDPB in the final version of the recommendations is welcome. In practice, the regulation means that it is still possible to outsource personal data to a country outside the EU / EEA).

However, before the transfer can take place, a comprehensive examination must be carried out to ensure that the law or practice in the recipient’s country, for example, does not constrain the security provided by the terms of the standard contract. If the investigation shows that the fixed contract sections do not provide adequate protection because the recipient uses law or practice in the country for similar transfers, additional security measures (Step 4) should be taken. New Fixed Contract clauses of the European Commission
The new standard contract clauses are suitable for GDPR. Different types of transfers are collected in one document and the obligations of the parties are divided into different blocks:

See also  Cisco Security Channel Vet Steve Benvenuto Takes Early retirement Deal - CRN: Technology news for channel partners and solution providers

News Summary:

  • Information technology contracts and data security news
  • Check all news and articles from the latest Security news updates.
Disclaimer: If you need to update/edit this news or article then please visit our help center.

For Latest Updates Follow us on Google News



Please enter your comment!
Please enter your name here