What has changed?
In a decision dated July 16, 2020, the European Court of Justice declared the Privacy Shield, which had previously been relevant for data transfers between Europe and the United States, invalid. The Court further stated that standard contractual clauses ("SCCs") may in principle continue to be used for the transfer of data to third countries with an inadequate level of data protection, provided that additional safeguards are in place for the personal data (so-called Schrems II decision).
Due to necessary adjustments to the GDPR and in response to the additional safeguards required by Schrems II, the European Commission issued revised and modified SCCs on June 4, 2021, replacing the previous legacy SCCs that were still adopted on the basis of the Data Protection Directive 95/46, which was superseded by the GDPR. New contracts that provide for third-country transfers can already no longer be based on the legacy SCCs as of Sept. 27, 2021, and per the transition period until Dec. 27, 2022, legacy SCCs for existing contracts must be replaced at the latest.
How has Planon implemented the new requirements?
- Planon's standard Data Processing Agreement (“DPA”) has been adapted. Specifically, the following clauses in the DPA in the Annex of your framework agreement have changed:
○ Clause 1 lit g): The term standard contractual clauses means the standard contractual clauses of the European Commission Decision of 04 June 2021 on standard contractual clauses for transfers of personal data to third countries in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council.
○ Clause 2.11 Data transfers to third countries: Planon undertakes to conclude standard contractual clauses with sub-processors in cases where processing activities on behalf of the customer involve a transfer of personal data to a country outside the EEA which, according to the European Commission, does not provide adequate protection for personal data.
○ In addition, the legacy EU standard contractual clauses between controller and processor, which were previously part of the DPA in Annex III, have been deleted. The legacy standard contractual clauses are replaced by the new clauses, which are concluded in the direct relationship between processor and sub-processor in case personal data is transferred to a third country outside the EEA, which does not provide sufficient protection for personal data.
- Planon works with the Hosting & Cloud Services provider AWS. Here, too, we attach great importance to the data protection-compliant processing of your data. Therefore, in addition to the service agreement, we have concluded an Data Processing Agreement with the European company Amazon Web Services EMEA SARL ("AWS Europe", based in Luxembourg), which implements the requirements of the GDPR and includes the new SCCs. For more information on the collaboration with AWS, please contact your local sales representative.
- Data transfer in the Planon Group is governed by an intra-company agreement that covers all relevant data flows. The agreement has been revised to ensure that the intra-company data flows within the support process to the subsidiary Planon India, are based on the new SCCs.
In particular, we have performed the required under Article 14 of the new SCCs between the processor and sub-processor for the transfer of personal data of customers to India (via remote access) as part of the support process. Taking into account all security measures taken on Planon's side and the specific transfer, the result is a low risk.
- Please find more information on the Technical and Organizational Security Measures regarding Support Services outside the European Economic Area in the whitepaper. Please contact your sales representative for this.
What do you have to do now?
We will be happy to advise and support you with further questions or implementations. Please contact your respective account manager for this purpose.