What you need to consider now Data protection & Privacy Shield

Great excitement among many data protectionists: On 16 July 2020 the European Court of Justice overturned the EU-US Privacy Shield. Strictly speaking, this means that companies are making themselves punishable when transferring European consu­mer data into the United States. Why it came to the judge­ment, which effects it has on the use of US-American services and why vitero is the right solution right now, we summarize for you.

Repeal of the Privacy Shield What to do now

In the past, many European companies used US services based on the Privacy Shield. Now that the Privacy Shield has been lifted, the protection of data must be examined closely.

Check your current contractual partnersIf they have access to personal data, the following questions are important in rela­tion to your contractual partners: Is the company located in the USA? Do US companies own shares? As soon as one aspect applies to your contractual part­ners, there is an acute need for action.
In case of doubt, suspend the data transmissionTheoretically, a new solution consists in the EU standard contractual clauses that are still allowed. However, these have to be concluded individually with the contracting partners, which often turns out to be lengthy and complex. Furthermore, the ECJ considers this solu­tion to be ineffective as well, as no US company can contractually guaran­tee the protection of data against acc­ess by investigating authorities. Until the data protection gap is closed, data transfers should be suspended in case of doubt.
Evaluate data processing in the EUCompletely safe: One alternative is to use European providers. These are subject to the General Data Protection Regulation (GDPR), as long as there is no US shareholding and the servers are located in the EU – which is the case for vitero. Here all your perso­nal data is protected against access from the USA.

Background Backgrounds of the Privacy Shield

The EU-US Privacy Shield is an agreement between the EU and the US that has regulated the transatlantic exchange of personal data since 2016.

Why was the EU-US Privacy Shield invalidated?The Austrian Max Schrems filed his first lawsuit against Facebook Ireland in 2011. The reason for this was that data of European users was not processed in Ireland but transferred to the USA. The aim of Schrems was to prohibit such data transfer. In 2015, his complaint resulted in the ECJ overturning the original agreement Safe Harbour due to an insufficient level of data protection.
Not sufficiently protected against unauthorized accessThe Privacy Shield was intended to serve as a new basis from 2016. However, the data was not sufficiently protected against access by US autho­rities such as the NSA or the FBI. The Patriot Act as a consequence of 09/11 allows them to access the data of US companies – without a court order and without the possibility for the affected parties to file an appeal. This means that the data is not sufficiently protec­ted against unauthorised access under General Data Protection Regulation (GDPR). The renewed legal action by Schrems led to a declaration that the Privacy Shield was annulled in July 2020.
What are the consequences of the ECJ ruling?As no transition period has been agreed, there is an acute need for action for many companies – including numerous global IT groups. In fact, no personal data from the EU is allowed to be trans­ferred from the EU to the US and pro­cessed there. In reality, there is great legal uncertainty about which activities are still allowed and which are not. Data transfers continue to take place despite the threat of high fines – in the millions depending on turnover. It is still to be seen when and in what form a third agreement between the EU and the US will be negotiated.

Data protection with vitero

Data protection is our top priority: To ensure that our virtual communication is completely secure in our company, we at vitero work strictly according to the data protection regulations applic­able in Germany and the EU.

Servers in GermanyThe servers rented by vitero GmbH are located in Germany. There is no data trans­fer to redundant systems (e. g. for the purpose of data backup) outside Germany.
TÜV-certified data centre
The used data centre based in Berlin is certified by TÜV according to ISO 27001 and thus offers extremely high data security and data availability.

German companyAs a spin-off of the Fraunhofer Society, vitero GmbH is a purely German com­pany. Therefore vitero GmbH is subject to the GDPR and the German Federal Data Protection Act without restrictions.
German headquartersThe company headquarters of vitero GmbH is located solely in Germany. There are no dependencies – neither in European nor in non-European countries.