The Swedish DPA Datainspektionen has now presented their first embryo of guidelines following the Shrems II case from July 16th.
They conclude, as many others, that transfer of personal data from the EU to the US just became a lot more difficult.
Privacy Shield cannot be used anymore, and it is unclear to what extent standard contract clauses (SCC) and binding company rules (BCR) can be used.
However, as a first step to all companies and organizations, they do present a short checklist for what to do now:
- Create an inventory of all personal data and flows in your organization and identify where personal data might be transferred to a third country.
- If a transfer is taking place, you must understand how they are protected in the receiving country.
- Only after such an investigation, a legal analysis must take place to determine if there is legal support for the transfer.
- It must be clear in all your processing agreements if personal data is transferred to a third country. Be aware – many services are transferring personal data.
Aigine Unstructured Data Inventory is created to automate such inventory and creates the legal documentation using artificial intelligence for any or all personal data.
Contact us if you suspect that you might have undocumented, and thereby unlawful, personal data transfers from the EU to the US.