Most organizations (public + private) transfer personal data outside the EU. This is not least typical if they use services from Microsoft. But it can also easily be done through other, smaller cloud tools.
As unexpectedly, decisions have begun to emerge around the EU that are actually taking Schrems II seriously by ordering the termination of the transfer, you as CEO / director should ask your IT manager to sit down and ask the following questions on behalf of the business as part of the business risk assessment:
- Is it likely within 1 year that our local regulator will come to us and look?
- If no (as data inspectors are generally reluctant in the field) do nothing. If so, move on.
- Do we have business-critical systems that transfer personal data outside the EU?
- If not, do nothing, as you can abide by a ban. If so, move on.
- Add supplementary measures to your oversight schedule. (If you do not have such a form, we will be happy to help you with it.)
- Are you more courageous and you have come here, then wait. The data processors will probably have to come up with their additional measures. They want your business. Microsoft has theirs on space. Whether they hold, time will tell, but you can hardly do more about it.
And now remember that if there is nothing in your data processor agreement about transfer (you have not said ok for transfer and not approved sub-data processors outside the EU), you have yours on dry land, even if for example AWS is a sub-data processor and you have a strong presumption of , that final treatment actually takes place outside the EU through support, development and emergency events.
And then we refuse in Unitas to comment on this skewed, as the Schrems II device is unlikely to be put into operation simply because it is a US-owned European-based server.
Unitas has previously written about transfer to third countries.