data is processed in the USA, the appropriate level of data protection must also be guaranteed there. Remember that your company, as the data controller (Art. 4 No. 7 GDPR), is also responsible for the data processing of the contract processors and subcontractors.
The catch: The standard contractual clauses must be concluded directly between your company as the controller and each individual subcontractor (“controller to processor”). There are simply no standard contractual clauses for the processor to subcontractor constellation (“processor to processor”). This means that the cloud service cannot conclude israel phone number data standard contractual clauses with its subcontractors. The EU Commission is currently working on new standard contractual clauses that will hopefully solve this problem, but that does not help here and now.
As a workaround, we consider it reasonable to authorize the processor to conclude the standard contractual clauses with its subcontractors on behalf of your company. However, the risks outlined above that are now inherent in the standard contractual clauses for US data transfers remain.
legal consequences and risks
Compliance with the GDPR is monitored by the data protection supervisory authorities in the individual federal states. According to Art. 58 GDPR, the authorities can take action against unauthorized data transfers to third countries, for example by prohibiting the use of services or service providers . Fines of up to EUR 20,000,000 or 4% of annual turnover (whichever is higher) are also possible. 1 Even if the Privacy Shield agreement has become unusable with immediate effect from the EU’s point of view, the authorities will probably grant companies a grace period to adapt their processes and renegotiate contracts with US service providers. That is at least what we experienced in 2015, when the ECJ declared the Safe Harbor agreement invalid (that was the predecessor agreement to the Privacy Shield). But: In its new decision, the ECJ expressly emphasized that the supervisory authorities must prohibit unauthorized data transfers . The authorities cannot therefore remain inactive for too long.
Customers, users, employees and other persons affected by unlawful data processing can issue a warning to your company and demand compensation for damages . Both have only happened rarely so far, but the first courts have awarded non-material damages for GDPR violations. 2 The costs of a warning can quickly reach four-digit figures. In addition, there are cease-and- desist declarations to which you are bound for years.
At least it is conceivable that consumer protection associations and competitors will issue warnings with cease-and-desist declarations . However, the legal situation is unclear and has recently been referred to the European Court of Justice for clarification. Up to now, the risk of such warnings has been rather low.
2 e.g. EUR 2,000 for unlawful video surveillance; EUR 5,000 for late and incomplete information