Contract requirements for the transmission of personal data to third parties. Companies participating in the data protection shield must include a number of new provisions in their contracts with third parties (for example. B service providers, business partners, etc.) data of a personal nature is passed on to these third parties. These provisions include: (a) the third party must notify the company that transmits the data when it is no longer able to provide the level of protection described in the data protection principles; (b) personal data must be deleted or de-defined by the third party when the data is no longer needed for compatible processing or use; (c) service providers using personal data can only act on the instruction of the ”data manager” (for example. B of the company that transfers personal data to the service provider) and help the processing manager respond to those who exercise their data protection rights in accordance with the principles. As a result, companies need to consider any changes or changes that need to be made to these types of agreements. Ms Reding added: ”What we need are legally binding obligations without conditions. Safe Harbor will not be ”safe” just by giving it another name. If The Privacy Shield is right for you, your company should conduct a gap analysis to determine the procedures and procedures to be put in place to submit the self-certification application to comply with the principles of Privacy Shield. This process includes an internal or external verification process in which the company`s current practices in the collection, storage, processing and security of personal data from the European Union are assessed on the basis of the principles of the data protection shield. Before filing the application for self-certification, the organization must ensure that it has appropriate policies and practices in place to certify compliance with the Principles of the Privacy Shield. Although many Privacy Shield requirements are common among U.S.
companies (for example. B the implementation of appropriate security measures to protect personal data), many requirements are not. In addition, as explained in more detail, Privacy Shield requires, for example, downstream vendor contracts to respect data minimisation, data destruction and access to personal data. However, in their current form, U.S. companies can now confirm that they will abide by the terms of the agreement. More than 1,000 companies are reported to have completed the procedure, compared to 4,500 that submitted data under the previous agreement. At the end of 2015, the EU Court of Justice ruled that the agreement allowing the transmission of personal data from the EU – the Safe Harbour framework – did not offer adequate safeguards of protection and was therefore not valid. The enforcement decision also highlighted that there are still differences in the way the United States and the European Union are addressing the use of personal data by companies to make automated decisions about individuals.
The United States offers only regulations in certain sectors, such as job offers and credit and credit decisions, while Europe and the RGPD offer broader protection in almost all sectors. The enforcement decision specifies that the Us and EU will discuss these issues during annual reviews of the implementation of the Data Protection Shield, which may include similar rights described in the RGPD, namely the right of a person to object to such decisions which are based only on such automated decision-making. , unless there are appropriate safeguards or other conditions that require such a decision-making process. Steven Millendorf is a partner and intellectual property lawyer at Foley and Lardner LLP.