If Google Drive is your “jack of all trades”, you send your newsletter with mailchimp, manage your leads with Zoho, give conferences with Zoom or collect data with Forms, it's time to review your data protection.
The digital giants (mostly Americans) and their technological solutions have entered our lives strongly in recent years and have been further strengthened by the current pandemic situation.
The vast majority of companies and self-employed people find in this type of application, a simple, affordable or free tool, with which to manage their activity, increase their productivity and reach a wider audience.
Until now, it was recommended to have a certain link with US suppliers, beyond their general conditions, in order to have a second document proving that the data transfers were covered. The so-called DPA (Data Privacy Agreement), a collection of additional clauses, focused on privacy and data processing in accordance with the European Regulation.
However, before July 17 it was something recommended but rather optional (if the entity offering the service was listed in the Privacy Shield). It is currently indispensable. As we do not have a "protection shield", the data transmission we carry out has a legal basis "caught with tweezers".
And why is that?
This is because most likely, many of these companies will establish that they have arranged to act in accordance with the standard contractual clauses, but these date from 2010 and are obsolete.
- Review the tax headquarters of the suppliers of the applications where you enter data from your customers, suppliers or potential customers who have given you consent.
- If you are based in the US, see what pronouncements they have made regarding the invalidation of the Privacy Shield.
- If they do not comment, contact the legal department of the provider and require a DPA (data privacy addendum).
- If no solutions are provided, look for alternatives in management programs that are based in European territory.
Remember that making international transfers without the necessary guarantees is a very serious violation of data protection regulations and there is a risk of a high penalty, as in the case of the association of computer technicians (45000 euros).