Companies already paid €2,720,000,000 in GDPR fines. Per our research, 80% of the sites have broken privacy controls.
On July 16, the Court of Justice of the European Union issued its long-awaited decision in the case Data Protection Commission v. Facebook Ireland, Schrems. That decision invalidates the European Commission’s adequacy decision for the EU-U.S. Privacy Shield Framework, on which more than 5,000 U.S. companies rely to conduct trans-Atlantic trade in compliance with EU data protection rules.
Data exporters are liable to personal data when performing a cross-border transfer. Data exporters need to implement supplemental technical measures to prevent governmental authorities from identifying individuals pertaining to the data in the target countries.
One of the important consequences is that you no longer can save customer data in the cloud without proper handling.
According to GDPR Article 32:
the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk including
the pseudonymization and encryption of personal data.
On November 10, the European Data Protection Board (EDPB) released its “Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data” (link).
One of the alternative methods is to get customer consent for personal data cross-border transfer. This is known as standard contractual clauses (SCC).
Before talking about the exact solution, I need to brief you about few topics.
‘pseudonymization’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person…
EDPB permits the transfer of pseudonymized data. This snippet is from the EDPB document.
Use Case 2: Transfer of pseudonymized Data
then the EDPB considers that the pseudonymization performed provides an effective supplementary measure.
When saving a user object in Databunker you are getting a user token. This user token is a user pseudonymized identity.
So, now when performing a cross-border transfer, change user personal data with a Databunker user token. This way you make the user not identifiable by the target government and it is compatible with Schrems II.