Schrems II and customer service compliance

On 16 July 2020, the Court of Justice of the European Union handed down a historical judgment in the Schrems II case: the Court invalidated the decision of the European Commission on the adequacy of the protection provided by the EU-US Privacy Shield for transfers of European data to the US.

In short, that means that companies within the EU/EEA can no longer rely on the US Privacy Shield to transfer data to the US. But how does the ruling apply to data collected from customer service interactions?

Our most important sub-processor, Microsoft Azure, has already implemented measures to ensure compliance. For more information, read this blog article from Microsoft.

On November 10., the European Data Protection Board (EDPB) published their recommendations on supplementary measures in this publication: Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data.

The 3 most important takeaways based on this summary published on

  • personal data cannot be transferred to controllers or processors in jurisdictions outside of the EEA who require unencrypted access to the personal data or access to the encryption keys with which encrypted personal data can be unencrypted
  • Organizations that transfer personal data from Europe to recipients located outside of Europe may only do so under the GDPR if the recipient is located in a country which the European Commission has determined offers adequate data protection
  • Businesses relying on standard contractual clauses, binding corporate rules, or other Article 46(2) GDPR “appropriate safeguards” are required to conduct an assessment of the local law in the jurisdiction to which they are transferring the personal data to