Statement on EU-US Privacy Shield Framework
On July 16, 2020, the Court of Justice of the European Union (the “CJEU”) issued a ruling invalidating the EU-U.S. Privacy Shield framework as a proper mechanism for transfers of personal data from the EU to the U.S. The EU-U.S. Privacy Shield framework has been in place since 2016 and was established to regulate the transatlantic exchanges of personal data between the EU and the U.S. The framework allowed U.S. companies certified under the program to legitimately receive personal data from the EU and/or Switzerland. As a result of the CJEU’s ruling, organizations can no longer rely on their Privacy Shield certification as a method for transferring personal data from the EU to the U.S.
However, in the same ruling the CJEU upheld Standard Contractual Clauses (SCCs) as a valid transfer mechanism for personal data between the EU and U.S. SCCs are a set of contract terms created by the European Commission to legitimize the transfer of personal data from the EU to non-EU countries which the European Commission has not deemed adequate for purposes of cross-border transfers of data out of the EU.
Following the CJEU’s decision, the Swiss Data Protection Authority (the Federal Data Protection and Information Commissioner, “FDPIC”), announced on September 8, 2020 that it no longer considers the Swiss-EU Privacy Shield adequate for the purposes of transfers of personal data from Switzerland to the U.S. While the FDPIC does not have the authority to invalidate the Swiss-U.S. Privacy Shield Framework (and its position is subject to any rulings to the contrary by Swiss courts), in practice, companies may no longer rely on the Swiss-U.S. Privacy Shield framework as a valid data transfer mechanism.
We understand that you may have questions as to how this impacts your agreement with RDC since RDC was previously certified to both the EU-U.S. and the Swiss-U.S. Privacy Shield framework.
RDC has always been committed to ensuring the protection of the personal data that it collects and processes on behalf of our customers; and therefore, is well positioned to manage this change. RDC is relying on SCCs to transfer personal data in connection with our customer agreements and provides robust privacy and security measures in accordance with GDPR requirements. RDC also has SCCs in place with its major subprocessors. RDC will continue to process all data with protections required under applicable data protection law and upon request will work with our customers to update agreements as necessary with SCCs, as they remain a valid mechanism for data transfer from the EU to the U.S. and from Switzerland to the U.S.
If you have questions regarding your customer agreement, please contact your account manager or email our Privacy Officer at email@example.com.