Schrems II refers to a European Court of Justice case verdict. The case concerns a lawsuit brought to the Court by the Irish Data Protection Authority. The case is based on a complaint from the Austrian citizen, Maximillian Schrems.
Schrems II refers to a European Court of Justice case verdict. The case concerns a lawsuit brought to the Court by the Irish Data Protection Authority. The case is based on a complaint from the Austrian citizen, Maximillian Schrems.
The complaint concerned the transfer of his personal data from Facebook Ireland to the company’s parent company Facebook Inc. Schrems argued that Facebook Inc. did not sufficiently protect his data. He also argued that the transfer was in breach of his EU rights as the law enforcement authorities in the U.S. had access to his and other Facebook user’s data.
Facebook Ireland previously used the so-called Safe Harbor Agreement as a basis for transfers. The Safe Harbor Agreement is an agreement between the EU and U.S. on the requirements of data transfers between the two.
Still, following the European Court of Justice’s rejection of the Safe Harbor Agreement by the Schrems I judgment, Facebook Ireland switched to using the EU Commission’s Standard Contractual Clauses (SCCs) and the new Privacy Shield decision as a basis for transferring data.
In July 2020, the Court of Justice of the European Union decided to invalidate the Privacy Shield and called into question the SCCs for transfers of personal data. This verdict came to be known as “Schrems II.”
After the decision, the European Commission decided to renew the SCCs. This means companies have to be more aware of transferring personal data to non-EU third parties. Each data transfer from the EU to vendors outside the EU should be internally assessed beforehand and based on the new SCCs.
The Schrems II verdict is essential because the Court of Justice declared that companies must ensure sufficient protection when data is sent outside the EU. For EU companies overall, this means to know who your data processors abroad are and what security steps they take to ensure that data is well protected.
Most importantly, companies that transfer data outside the EU must make sure the companies processing the data ensure the necessary data protection. The renewed SCCs with which companies have to comply can be found on the official website of the EU Commission.
Additionally, it is required that companies can prove that their vendors and subprocessors outside of the EU are compliant. This is, unfortunately, a very time-consuming task since vendors and subprocessors often change their information. Furthermore, extracting new information takes emailing back and forth, usually days at a time.
Fortunately, if your company uses vendors and subprocessors, you can find all necessary information about their data protection procedures on the Privacy Hub.
Such information includes the legal basis for transferring data outside the EU, their data impact statements, and what they have done regarding Schrems II. And the best part is that Openli regularly updates this information, so you don’t have to do anything; just relax and focus on aspects essential to your business.
You can also add personalized notes, upload your pre-existing policies and contracts, and connect them to the Privacy Hub. As a result, your Data Protection Agreements and other agreements will always be up to date.
And if your vendors are currently not in the hub, let us know. We will collect all of the information from them on your behalf. In short, we do the work, and you enjoy the benefits.
Learn more about Privacy Hub →