Privacy Shield / Schrems II
Introduction
The EU–US Privacy Shield was a framework for regulating transatlantic exchanges of personal data for commercial purposes between the European Union and the United States.
One of its purposes was to enable US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU–US Privacy Shield was a replacement for the International Safe Harbor Privacy Principles, which were declared invalid by the European Court of Justice in October 2015.
Update: 2022-03-25 Microsoft is committed to EU-U.S. Data Agreement
Requirements
Affected companies will now have to sign "standard contractual clauses": non-negotiable legal contracts drawn up by Europe, which are used in other countries besides the US.
They are already used by many big players. Microsoft, for example, has issued a statement saying it already uses them and is unaffected.
What does anDREa (processor) do to help you and your organization (controller):
- By default all resources, virtual machines and storage, are deployed in a Microsoft Azure Data Center inside the EU/EEA (Amsterdam)
- Each Workspace and their data are encrypted at-rest and in-transit
- Each Workspace are Role-Based-Access-Controlled (RBAC)
- Each Workspace requires 2 Factor Authentication
- Extensive logging of access and attempts for non-authorized access
The above compliments the evidence for the requirement: Controllers and processors of personal data must put in place appropriate technical and organizational measures to implement the data protection principles (GDPR)
In addition to your own organizational measures, you might consider the following:
- Ensure you have processing agreements with at least all external people before enrolling them in a Workspace
- Carefully consider the role other than Member in your workspace for people that are not 100% member of the EU/EEA
Related Articles
GDPR Compliance Assessment
First version: 2021-05-16 Last updated: 2024-03-12 Last change: Fixed links to GDPR articles to refer to the official EC website. Introduction The purpose of this document is to describe anDREa’s compliance with the GDPR. This document also describes ...A.18 Compliance
Version: 3.0 Valid until: 2025-04-10 Classification: Low Version Management Version Author(s) Change(s) Date approved 1.0 Stefan van Aalst Theo Koster Edward Robinson Initiation document. 2022-05-20 1.1 Edward Robinson Additions/changes as part of ...Cookie Policies
Introduction The purpose of this document is to describe anDREa’s Cookie Policies. This document will be updated at least annually and when significant change happens to the relevant areas covered. Cookie Policy Cookies are temporary text files that ...Privacy Policy
Introduction anDREa is committed to be GDPR Compliant and protect the data and privacy of all stakeholders. The purpose of this document is to describe anDREa’s Data Handling Policy. The rules for acceptable use must take into consideration ...Contact information
First version: 2021-09-01 Last updated: 2023-10-13 Last change: Phone number Security Officer This page contains the most up-to-date contact information for serious incidents. Please note the contact information is to be used in emergency settings ...