Industries
Industries Overview
Healthcare & Life Science
Manufacturing
Media & Entertainment
Public
Retail & Consumer Goods
Utilities
Consulting & Innovation
Consulting
Business Transformation
Technology Consulting
Process Consulting
Innovation
Generative AI
Sovereign AI
Metaverse
Consulting
Business Transformation
Business Transformation Consulting
Solutions & Products
Solutions
Sovereign IT
Business Process Management
Counterfeit Protection
Customer Experience
Data & Automation
Digital Workplace
Digital Commerce
Finance
SCM & Logistics
Products
Arvato Systems Alive
Order Management with aroma®
Digital Workplace with NAVOO®
Digitize logistics processes with platbricks®
Vulnerability Management with Varedy
Sustainability Management with green.screen
Further Products
Technologies
Amazon Web Services
Google Cloud
Microsoft
SAP
Further Partners
Solutions
Business Process Management
Process Modeling and Process Documentation
Process Mining
Process Automation
Governance, Risk & Compliance
Solutions
Counterfeit Protection
Serialization in the Consumer Goods Industry
Serialization in the Pharma Industry
Solutions
Customer Experience
API Management
App Development
Arvato Systems Alive
Customer Experience Consulting
Hyperpersonalization
Customer Loyalty
Content Management
Customer Relationship Management
Product Information Management
UX and UI Design
Solutions
Data & Automation
Data Fabric
Data Governance
Generative AI
Hyperautomation
DocuStream
Artificial Intelligence
Robotic Process Automation
Self-Service Business Intelligence
Solutions
Digital Workplace
Digital Meeting Management
Digital Workplace with NAVOO®
Guest User Manager
Microsoft 365
Microsoft 365 Backup Service
Microsoft 365 Data Protection
Microsoft Power Platform
Workplace Security
Solutions
SCM & Logistics
Warehouse Management
Transport Management
Production Planning
Digitize logistics processes with platbricks®
Artificial Intelligence in Logistics
Logistics 4.0
SCM & Logistics
Digitize logistics processes with platbricks®
Production Supply
Container Management
Warehouse Management System
Mobile Solutions
Analytics
Chatbots
Gamification
Healthcare Suite
Technologies
Amazon Web Services
Amazon Connect Contact Center
AWS Container Acceleration
AWS Cloud Migration
SAP on AWS
Technologies
Google Cloud
API Management with Apigee
Modern Data Warehouse Management with BigQuery
SAP on Google Cloud
Google Cloud Landing Zone
Technologies
Microsoft
Microsoft Azure
SAP on Azure
Microsoft 365
Microsoft Power Platform
Technologies
SAP
SAP Application Management Service
SAP Business Technology Platform
SAP Customer Experience
SAP IS-U
SAP License Management
SAP on Cloud
SAP RISE
SAP S/4HANA
End-2-End Process Monitoring
SAP BW/4HANA
SAP Datasphere
Infrastructure & Operations
Cloud & Data Center Services
Cloud Transformation
IT Outsourcing & Infrastructure Services
Multi & Hybrid Cloud
SAP on Cloud
Virtual Desktop Infrastructure
Workload Automation
Security Services
Cyber Care & CDC
Disaster Recovery
Vulnerability Management with Varedy
SAP Security
Managed Services
Cloud Foundation
Managed Workloads
Application Management
Cloud & Data Center Services
Cloud Transformation
Application Modernization on Cloud
Datacenter on Cloud
Data Management on Cloud
Enterprise Application Integration
Managed cloud IT with Avvia
Cloud & Data Center Services
IT Outsourcing & Infrastructure Services
SAP Hosting
Cloud & Data Center Services
Multi & Hybrid Cloud
Amazon Web Services
Google Cloud
Microsoft Azure
Virtual Private Cloud
About us & News
About Arvato Systems
Awards
Corporate Responsibility
Management
Memberships & Certifications
Partnerships
References
Locations
Press
Events
Contact
Privacy Policy

Third Country Service Provider:

Legally compliant third country transfer

...
Tiny PNG Großjohann
Written by
Data Protection: Working with International Service Providers
16.11.2023
IT Outsourcing
Digital Transformation
Data Management
Cloud

In times of digitalization, agile IT solutions are essential for companies. In addition to continuous system performance, the focus is on individual customer requirements. This flexibility is impossible without service providers, who rely on other (international) subcontractors.

Data Transfer and Third Countries

AdobeStock_647101647_735x492px

As part of its activities, it is often essential for the service provider to access the personal customer data of its clients. This requires either that the data is physically forwarded, for example, for storage in a cloud, or that the service provider has direct access to the data, for example, through remote support services. The client is responsible for agreeing on an appropriate level of data protection with its service provider to minimize the risk of processing for the data subjects. The processing of personal data then takes place based on a data processing agreement (DPA). Appropriate technical and organizational measures, in turn, ensure the security of data processing.

If the service provider is based within the EU or the EEA and provides its services from this region, it is directly subject to the EU General Data Protection Regulation (GDPR). Under these conditions, there is also a high level of data protection. 

Other legal provisions apply if the service provider is outside the EU/EEA or involves other subcontractors who provide their services from such a so-called third country; other legal requirements apply. In these cases, the level of data protection may differ from that defined as appropriate by the GDPR. In these circumstances, further conditions must be met and guarantees required to ensure an adequate level of data protection. The service provider is responsible for fulfilling the data protection requirements agreed upon with the client throughout the entire chain of its sub-processors.

Guarantees for a Secure Third Country Transfer

Data protection legislation provides for several instruments that allow data to be transferred securely to a country outside the EU/EEA.

  • The most frequently used guarantee is the so-called EU standard contractual clauses, which are concluded in addition to the data processing agreement. The current version of these clauses - issued by the European Commission in June 2021 - has a modular structure and can be used in several constellations. In the context of order processing, such an agreement between the processor and (sub)processor is standard practice.
  • A risk assessment (transfer impact assessment) is again required in connection with the standard contractual clauses. The data exporter must check the legal situation or the level of data protection in the third country and assess whether the recipient may be forced by applicable law in the third country to violate the provisions of the contracts. If this is the case, additional data security measures must be taken.
  • For example, multinational corporations can secure data transfer via Binding Corporate Rules (BCR). BCRs are binding internal company data protection regulations that create an appropriate level of data protection and make it possible to transfer personal data to subsidiaries in third countries. These regulations, therefore, also represent a suitable guarantee for third-country transfers. However, they must be approved by the supervisory authority.
  • Transferring personal data to a third country is also possible based on an adequacy decision. The European Commission takes this decision if it determines that the level of protection in a particular country is equivalent to that of the GDPR. If such an adequate decision exists, the data may be transferred to this country without further guarantees. However, it should be noted that the scope of the respective choices may differ from country to country. For example, the EU-U.S. Data Privacy Framework only applies to participating companies in the USA. 

The EU-U.S. Data Privacy Framework (DPF)

Arvato-Systems Blog Article Data Protection AdobeStock_636775901

The EU-U.S. Data Privacy Framework (DPF) has recently become highly relevant for data transfers to the USA. It came into force on July 10, 2023, and provides a guarantee for third-country transfers in the form of an adequacy decision. The DPF enables legally compliant data transfers to those US companies that have expressly certified themselves for this purpose.

It is the third agreement between the EU and the USA on data transfer, after the European Court of Justice declared its predecessors Safe Harbor (Schrems I ruling, 2015) and Privacy Shield (Schrems II ruling, 2020) invalid. Max Schrems, an Austrian data protection activist, had initiated the lawsuits due to the inadequate level of US data protection.

The DPF now includes further guarantees for data protection and a strengthening of the rights of affected EU citizens. In particular, a two-tier redress system has been set up to simplify complaints by affected EU citizens and enable them to challenge decisions made. The activities of the intelligence services will be monitored more closely, and access to data will be limited to what is necessary and proportionate to protect US national security. Certified companies must comply with regulations such as purpose limitation, information obligations, and the fulfillment of data subjects' rights and are subject to regular inspections.

It remains to be seen how long the DPF will remain in force. The security laws of the USA have not changed due to the new adequacy decision, and Max Schrems, therefore, already has the subsequent lawsuit in the drawer. In addition, European data protection authorities have already voiced initial criticism of the adequacy of the measures.

However, the DPF currently provides a valid guarantee for transferring personal data to the USA, thus significantly improving the conditions for data transfer. All major hyperscalers are among the participating companies.

IT It Expertise Meets Data Protection

Arvato Systems has been working successfully for years with service providers within the EU/EEA and in the USA and other countries outside Europe, to provide the best possible services. In particular with Microsoft in particular, we have a long-standing partnership. With our expertise in the entire Microsoft Cloud, we support our customers in the digital transformation and advise them in the context of Microsoft 365, among other things. We always keep an eye on the legal framework and, as an IT specialist, the requirements of our clients and thus ensure an appropriate level of protection for the personal data entrusted to us. 

You May Also Be Interested In

Public

The comprehensive digitization of public administration is an important task. Learn more about our solutions for the public sector.

Learn more
Microsoft 365 Data Protection

Our privacy-friendly configuration of Microsoft 365 for more data protection & data sovereignty in the public cloud.

Learn more
Microsoft Office 365

Discover our Digital Workplace Solutions with Microsoft Office 365.

Learn more

Written by

Tiny PNG Großjohann
Sonja Großjohann
Data Protection Coordinator
Subscribe to our newsletter
ImprintPrivacy PolicyGeneral Purchase ConditionsYour Career at Arvato SystemsContactChange Cookie-Settings
© 2024 Arvato Systems