Image

Schrems II compliance

On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.

Why Schrems-II compliance so important?

Data exporters are liable to personal data when performing a cross-border transfer. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries.

One of the important consequences, is that you no longer can save customer data in cloud without proper handling.

According to GDPR Article 32: the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including the pseudonymisation and encryption of personal data.

Customer data pii in the cloud

So, what should I do now?

On November 10, the European Data Protection Board (EDPB) released its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (link).

One of alternative method is to get customer consent of personal data cross-border transfer. This is known as standard contractual clauses (SCC).

So, how Databunker can help with Schrems II Compliance?

Before talking about exact solution, I need to brief you about few topics.

Definition of pseudonymisation.

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person…

Transfer of pseudonymised data

EDPB permits the transfer of pseudonymised data. This snippet is from the EDPB document.

Use Case 2: Transfer of pseudonymised Data

A data exporter first pseudonymises data it holds, and then transfers it to a third country for analysis, e.g., for purposes of research. If

  1. a data exporter transfers personal data processed in such a manner that the personal data can no longer be attributed to a specific data subject, nor be used to single out the data subject in a larger group, without the use of additional information,
  2. that additional information is held exclusively by the data exporter and kept separately in a Member State or in a third country, territory or one or more specified sectors within a third country, or at an international organisation for which the Commission has established in accordance with Article 45 GDPR that an adequate level of protection is ensured,
  3. disclosure or unauthorised use of that additional information is prevented by appropriate technical and organisational safeguards, it is ensured that the data exporter retains sole control of the algorithm or repository that enables re-identification using the additional information, and
  4. the controller has established by means of a thorough analysis of the data in question taking into account any information that the public authorities of the recipient country may possess that the pseudonymised personal data cannot be attributed to an identified or identifiable natural person even if cross-referenced with such information,

then the EDPB considers that the pseudonymisation performed provides an effective supplementary measure.

Ok, great how it helps me?

When saving a user object in Databunker you are getting a user token. This user token is a user pseudonymised identity.

Pseudonymized identity

So, now when performing a cross-border transfer, change user personal data with a Databunker user token. This way you make the user not identifiable by the target government and it is compatible with Schrems II.


Databunker Live demo

Live demo URL: https://demo.databunker.org/

You can use the following credentials:

  • User phone: 4444
  • User access code: 4444
  • Admin token: DEMO

Getting Started

The easiest way to get started with Databunker is to run it as a Docker container:

docker run -p 3000:3000 -d --rm --name dbunker securitybunker/databunker demo

This command starts Databunker in a local container with a DEMO root access key. You can use it for the development or testing purposes. For a production installation, follow this installation guide.

Connecting to Databunker

You can interact with Databunker using:

Create a user record

curl -s http://localhost:3000/v1/user -X POST -H "X-Bunker-Token: DEMO" \
  -H "Content-Type: application/json" \
  -d '{"first":"John","last":"Doe","login":"john","phone":"4444","email":"user@gmail.com"}'

Fetch user record by email

curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/email/user@gmail.com

Fetch user record by login

curl -s -H "X-Bunker-Token: DEMO" -X GET http://localhost:3000/v1/user/login/john

Other commands:

For a full list of commands, follow the API document.

Support / Contact

Slack Channel