EuGH overturns Privacy Shield: legally secure procurement with Onventis

The General Data Protection Regulation (GDPR) stipulates that personal data may only be transferred to third countries such as the USA in compliance with an adequate level of protection. The Privacy Shield and standard contractual clauses are ergo only legally permissible for data transfers to the US if an effective level of data protection is guaranteed.

With its ruling announced yesterday, the Court declared the so-called Privacy Shield Decision 2016/1250 invalid. The ECJ thus annuls the existing data protection agreement between the EU and the USA. The background was an ongoing case brought by Austrian data protection activist Max Schrems to ban the transfer of personal data from the Union to the United States.

Schrems invoked, among other things, Section 702 of the Foreign Intelligence Surveillance Act (FISA 702). The section allows the National Security Agency to access data on non-U.S. citizens in electronic communications services even without a court order. According to the decision of the ECJ, the requirements of the Privacy Shield are no longer met. Rather, the EU Commission is violating the fundamental rights of EU citizens to privacy, data protection and to effective safeguards against data transfers to the US.

“It is important that the personal data of European citizens is not transferred en masse and uncontrolled.”
BITMi President Dr. Oliver Grün

For globally networked companies, the ECJ ruling and the associated legal uncertainty pose a great risk. Applied to practice, this means that most US service providers may not be used. Alexander Rabe from the Internet industry association Eco says: “The data protection agreement of the (…) Privacy Shield between the EU and the USA or the so-called standard contractual clauses formed an indispensable legal basis for the international transfer of personal data. Without them, there are few alternatives to lawfully transferring this data from the European Union or the United Kingdom.” Digital service providers like Google or Facebook thus face a problem from now on if you want to process data of EU citizens in the US.

With Onventis, your data stays in Germany
German cloud provider Onventis protects the data of organizations and individuals in accordance with German and European data protection regulations. The modular Onventis product portfolio has been awarded the BME seals of approval for “Supplier Relationship Management” and “Mobile Procurement” as well as the BITMi seals of approval for “Software Made in Germany” and “Software Hosted in Germany”. The information security management systems (ISMS) at Onventis are also certified according to ISO/IEC 27001. Worldwide, more than 1,000 organizations from the procurement and finance sectors rely on Onventis’ multi-certified German cloud platform.

• Maximum data protection for purchasing through DSGVO-compliant software usage
• ISO-certified cloud data center in Frankfurt am Main
• Smart e-procurement from the German cloud since 2000
• Maximum SSL standards
• Single Sign On Connector
• End-to-end encryption
• 7 x 24 real-time monitoring
• Georedundant data mirror in Stuttgart
• Onventis support in Germany

The full ECJ ruling can be found here.