Privacy Shield – Schrems II Statement
On July 16th, 2020, the European Court of Justice (CJEU) released its highly anticipated decision in Case C-311/18, otherwise known as Schrems II. The CJEU ruled that the EU-U.S. Privacy Shield is to be invalidated. In turn, the CJEU ruled that the system of Standard Contractual Clauses (SCCs) which allows for data transfers from the EU to third countries, is valid.
PSI has not solely relied on the EU-U.S. Privacy Shield for US data transfers but has implemented SCCs with our vendors and has subsequently taken the approach on implementing the SCCs across all PSI affiliates under an Intra-Group Data Sharing Agreement.
What does this mean for PSI Customers?
PSI is committed to the protection of your data and the legal data transfer under GDPR to the US. We have implemented the SCCs and also aligned all of our security measures to ISO 27001, which subsequently ensures that industry encryption measures are in place while data is in transit and at rest. PSI also has strict Access Control procedures to limit who, how and what is being processed while PSI is continuing to evaluate its US transfers, and where feasibly and reasonable to do so, we will minimise any unnecessary third-party data transfers. PSI also confirms that as of the date of this notice it has not been subject to any data requests by the US government [for national security purposes].
PSI’s legal and compliance teams are closely monitoring this ruling and the anticipated guidance that will follow to ensure our compliance, and more importantly, to protect the data of our customers according to GDPR.
You may find the FAQs recently issued by the European Data Protection Board (EDPB) on the invalidation of the Privacy Shield and the implications for the SCCs useful, please click here.
If you have any questions or complaints in relation to this matter, you may contact PSI’s Data Protection Officer here.