Privacy Shield is not sufficient between controllers and processors

GDPR enforcement is just around the corner.

Is your company based in the US?

Is your company in business with other who needs you to be compliant?
Like transferring European personal data to the US?
Or are you processing your customers’ customers’ personal data — meaning: you are a data processor.

If you’ve been consciously reading the regulation, “Privacy Shield” is cited as one of the mechanisms to allow transfer of European personal data to the US.
Despite its poor reputation and being probably short-lived, numerous Saas companies are subscribing to it.

But the Privacy Shield cover only one side of the equation: making it legal to transfer European personal data to the US.
Which is all you need if you are a data controller — you decide the purpose and the means of the processing.

But as soon as you are sending over these data to a 3rd party service provider, there are other parts of the regulation you want to meet.

These providers are the “data processor,” and they can only process your data “on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organization,…”
Furthermore, if the processor intends to engage another processor, he must have a “general written authorization of the controller.”
And finally, the processor is responsible for providing sufficient guarantees that the requirements for GDPR will be met.
The GDPR article about data processor

Primarily, you need to have a valid contract between a data controller and any other data processor.
Data processors have far more responsibility.

This why companies have been writing their own Data Processing Agreement to make sure that the Saas service they’re sending personal data to will take responsibility for the security of the processing.

If you’re selling your services to European companies or planning to do, this is the way to go at the moment.
You can find a template here.

As a controller, you want to ensure that your processor will

  • Ensure proper security of your data
  • report a data breach without undue delay,
  • help you fulfill data subject rights (access, rectification, suppression, portability, )

Who should write it?
Depending on your size, it depends.
As a processor, if you do not have a legal team, the best move would be to hire a lawyer to write one for your company and asking your customers to sign it. That way you won’t have to have your customer DPA reviewed by a lawyer each time you’re signing a new one.
Also, beware of data controllers making your company sign a DPA which put a lot of burden on the processor.

Learn the first easy steps to get started
Grab your 7 actionable steps cheatsheet