What does Schrems II mean? – Why VisionFlow is a safe and smart choice for your case management

On July 16, 2020, the European Court of Justice announced the Schrems II ruling, which has had extensive consequences for the use of American cloud services.

Under GDPR, the transfer of personal data to a third country – that is, a country outside the EU/EEA – may only take place if the recipient country can guarantee an adequate level of protection for the data. In practice, this has proven to be highly complex, making it difficult to ensure the required level of protection. After Schrems II, there is in many cases no longer a clear legal path for processing personal data in the U.S.

By choosing VisionFlow for your case management and CRM, you can rest assured. As a local Nordic provider, we comply with GDPR and ensure that data is stored within the EU. All information is handled securely, and VisionFlow offers the necessary features to help you and your organization meet GDPR requirements.

With VisionFlow, you can always trust that all customer information is kept safe within Sweden’s borders.

What is Schrems?

C-362/14 and C-311/18 are what we today call Schrems I and II. Both are rulings from the European Court of Justice, named after Austrian lawyer and privacy activist Maximilian Schrems.

Schrems challenged Facebook in Ireland, arguing that the company reserved the right to transfer his personal data to the U.S., despite the country’s mass surveillance systems conflicting with EU data protection laws.

The case reached the European Court of Justice, which ruled in Schrems’ favor. The Court invalidated the agreement known as Safe Harbour, which companies had used for transatlantic data transfers. This ruling, later called Schrems I, affected not only Facebook but many other companies.

Safe Harbour was replaced in 2016 with the Privacy Shield framework, which allowed digital traffic between the EU and U.S. to continue relatively unhindered. U.S. companies could register with the U.S. Department of Commerce to certify compliance.

On July 16, 2020, the European Court of Justice declared that the Privacy Shield agreement did not provide sufficient protection for personal data transferred to the U.S.

Schrems once again won, and the ruling became known as Schrems II.

What does this mean for Swedish companies and organizations?

Schrems II applies to all companies that process personal data within the EU but transfer it to a third country. It is very common to find Swedish companies using American cloud services.

The Schrems II ruling states that supervisory authorities in EU member states must actively intervene against controllers who transfer personal data to third countries without legal grounds. Sweden’s privacy regulator (IMY) has already begun investigations against Swedish companies.

The review is part of an EU-wide effort led by the European Data Protection Board (EDPB) task force set up to handle the complaints filed since the Schrems II ruling.

What happens if you don’t comply with Schrems II?

The exact consequences are still not entirely clear, since no cases have yet been decided under Schrems II. But based on previous violations of the EU’s General Data Protection Regulation, companies risk fines, sanctions, and compensation claims.

Given the potentially devastating consequences for companies that are found non-compliant, it is highly relevant to review your suppliers that involve data transfers to the U.S. The key question: is it truly necessary to use this solution, or would it be safer and smarter to choose a provider that keeps data within the EU and thereby eliminates the risk of a potential ruling?

Do you have questions about GDPR, Schrems II, or VisionFlow’s data management?

Don’t hesitate to contact us!