As a result, companies that transfer data to "non-secure" third countries must adapt their framework agreements to the new EU requirements by December 28, 2022. Failure to do so could result in cease-and-desist orders and payments of up to 20 million euros or four percent of sales.
Changed data protection regulations at EU level
At the turn of the year, changes in data protection law will once again come into force. The adjustment concerns the EU's standard contractual clauses, which regulate rights and obligations to create a level of data protection in third countries that is adequate to European standards. For companies, these become relevant when they transfer personal data to countries outside the European Economic Area. This also applies to cloud services used.
The new and stricter version of the GDPR declares data transfers to countries such as the USA, China or India as "not secure" with immediate effect, thus taking the Schrems-II ruling into account. This is a major challenge for IT service providers in particular, as they frequently process personal data in one of the above-mentioned, economically important countries.
All those companies that commission cloud service providers on the basis of standard contractual clauses that manage their data in "secure" countries besides the EEA in Switzerland, the UK, Japan, Uruguay or Israel have no need for action at this point (see adequacy decisions under Art. 45 GDPR). A reliable method to verify this is to demonstrate compliance with the EU Cloud Code of Conduct. The CoC designates a comprehensive code of conduct of the European cloud industry, which sees the uniform enforcement of European data protection standards based on the General Data Protection Regulation as the top priority. A Level 3 certification is considered the best independent evidence of the highest level of data protection and states that all stored information is located within the EU.
If third countries are involved where equivalent data protection standards do not exist, controllers must achieve an equivalent level with additional agreements (see recommendations 01/2020 of the European Data Protection Board). This equally includes making sure that the practical implementation of the changes takes into account all technical and organizational requirements for the respective purchased service. Failure to comply with or implement the new requirements can lead to cease-and-desist orders and payments of up to 20 million euros or four percent of sales.
Simple implementation with smart contract management
To check the entire contract portfolio as efficiently as possible for the relevant standard clauses, it is a good idea to use intelligent contract management software such as Fabasoft Contracts. With the help of the semantic full text search, this software identifies all relevant contracts at the push of a button and thus reduces the search effort to a minimum. The product also supports the adaptation of agreements with smart clause management. Metadata is transferred directly to the document templates via text modules and clause libraries, thus contributing to the rapid and automated creation or modification of text passages. This not only reduces the effort and potential for errors, but also significantly reduces the number of approvals required. Once the contracts have been drawn up in accordance with the new regulations, Fabasoft Contracts involves the external partners directly in the conclusion of the contract.
Fabasoft is the only cloud service provider worldwide to achieve the third and highest compliance level of the EU Cloud CoC.
Conclusion
Ideally, companies already work with cloud providers who can prove that all data does not leave the EEA. Otherwise, there is an urgent need for action to comply with the new data protection requirements in time for the December 28, 2022 deadline. Smart, certified contract management provides fast and secure support in evaluating, adapting and concluding the relevant agreements.