Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our services based on our know-how and technology. Confirmation of the care for information security is the successfully completed certification audit and supervision audit of the Information Security Management System according to the ISO/IEC 27001:2013 standard, the scope of which concerns the ‘Creation, maintenance and development of electronic communication solutions, including SMS emails, pushes in the CPaaS model’. We are also preparing for an audit in the area of ISO 27018 Cloud data security.
Is the use of foreign, especially American, solutions such as smtp, email api safe and what does this mean for controllers? Do you transfer personal data such as your clients’ e-mail addresses outside the EEA? – Be sure to read our study.
As far as transfers outside the EEA are concerned, countries can be divided into two basic groups: countries for which the European Commission has issued a decision establishing an adequate level of data protection, and countries for which no such decision has been issued. In the case of countries for which a European Commission decision has been issued, the transfer of data to them can, in principle, be treated as equivalent to an intra-EEA transfer. However, the USA is not included in this group of countries. On 16 July 2020, the Court of Justice of the EU, in the case of Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (the so-called Schrems II case), ruled that the Commission’s decision for the USA, the so-called Privacy Shield, does not meet the adequacy requirement and does not comply with the GDPR.
This means that additional prerequisites must be met in order to transfer data to the US, in particular:
The so-called standard contractual clauses may be used in an agreement with the US processor and, in addition, the legislation of that country may be examined, determining whether it provides an adequate level of protection (as indicated in the cited Shrems II judgement). The Shrems II judgement determines that US legislation does not provide such protection.
Therefore, in accordance with the guidelines of the European Data Protection Board, when transferring data to the USA, the service provider should be required not only to conclude a processing entrustment agreement based on standard contractual clauses, but also to provide additional safeguards (inter alia adopting and documenting technical measures ensuring more adequate protection by making the data more difficult to access, e.g. encryption, pseudonymisation, further monitoring of changes in third country legislation).
If the above conditions are not met, it is exceptionally possible to invoke additional, specific consent of the data subject for the transfer of data outside the EEA or grounds other than the consent, which, however, are not widely used in practice (Article 49 of the GDPR).
If these conditions are not met, sharing personal data with a US supplier should be considered illegal and giving rise to a risk of penalty.
EOG | Outside the EEA (refers to countries for which there is no appropriate European Commission decision, including the USA) | |
---|---|---|
What needs to be investigated before entrusting? | Verifying whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security (Article 28 of the GDPR) | Verifying: – whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security(Article 28 of the GDPR) – a multi-level legal analysis of the admissibility of the transfer of data to a specific country (Article 44 et seq. of the GDPR). In the case of the USA, it is most often necessary to investigate whether: – the supplier’s agreement is based on standard contractual clauses, and – the supplier provides additional data protection measures. Alternatively, it is possible to transfer data after obtaining specific consent or meeting other prerequisites of Article 49 of the GDPR, which are not often used in practice. |
Protection measures | No obligation to implement additional protection measures (standard level of protection adequate to the risk). | The requirement to implement additional protection measures by: – identifying all personal data processing operations to a third country, – verifying whether, in the context of a specific operation, the processing outside the EEA could adversely affect the effectiveness of the applied security measures, – adopting technical measures which are necessary to ensure that the level of protection of transferred data in a country outside the EEA is adequate to that guaranteed under the GDPR (e.g. pseudonymisation, encryption, etc.), – monitoring changes in the legislation of a given country and reacting to the changes by introducing additional security measures in the agreement with the processor. |
Information obligations towards data subjects | No additional information obligations. | The need to inform users of the company’s services of the intention to transfer data to third countries (as a result of cooperation with an entity processing data in a country outside the EEA), together with an indication of the safety measures applied and information on whether or not the European Commission has recognised an adequate level of protection. |
Possible penalty for violation | Possible breach of Article 28 of the GDPR, which is punishable by a fine of up to EUR 10,000,000 or up to 2% of its total annual worldwide turnover from the previous financial year. | Possible violation of both Article 28 and additionally Article 44 et seq. of the GDPR. Punishable by a fine of up to EUR 20,000,000 or up to 4% of its total annual worldwide turnover from the previous financial year. |
Internal documentation concerning personal data processing | No additional obligations. | The need to include additional entries in the Register of Processing Activities and to perform the analyses indicated above. |
Enforceability of claims against the processor | Possibility to enforce claims based on Polish law and EU law with regard to cross-border disputes. | The actual possibility of enforcing claims varies from country to country. There is a risk that the litigation cannot be conducted in Poland and on the basis of Polish law (or EU law), or that the judgement of a Polish court may not be recognised in a country outside the EEA. |
As you can see, there are many aspects to consider when planning to use foreign solutions to process Customer data. It is worth being aware of the differences in order to avoid unpleasant consequences and to prepare appropriately in procedural and legal terms.
The material was prepared with the assistance of attorney Maciej Jankowski, a partner of the law firm Media. The attorney’s areas of expertise include, among others, new technology law, including intellectual property law, personal data protection law and specific aspects of telecommunications law.
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Best practices, Email Authentication
Email headers may seem like a cloud of confusion, but fear not! In this ultimate guide, we will break down email headers and make them crystal clear. We’ll start...
Does your inbox feel like a never-ending to-do list? Are you spending more time sorting emails than actually working? You’re not alone. Millions of professionals struggle with email overload,...
Apple Mail, Email Marketing, Gmail
Efficient email management has become a necessity in today’s digital world. To address this need, email services categorize incoming messages into different tabs or folders, helping users streamline their...
We are delighted to announce that Vercom S.A., the company behind the EmailLabs project, has successfully completed the ISO 22301 certification process. This significant achievement underscores our commitment to...
EmailLabs, as part of the Vercom group, proudly announces its full commitment to aligning its ICT services with the latest cybersecurity standards. In response to dynamically changing regulations, the...
Best practices, Compliance & Security
As we step closer to a digitally connected future, ensuring inclusivity in our marketing strategies is more important than ever. Email, a cornerstone of digital communication, must evolve to...
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
Best practices, Email Authentication
Email headers may seem like a cloud of confusion, but fear not! In this ultimate guide, we will break down email headers and make them crystal clear. We’ll start...
Does your inbox feel like a never-ending to-do list? Are you spending more time sorting emails than actually working? You’re not alone. Millions of professionals struggle with email overload,...
Apple Mail, Email Marketing, Gmail
Efficient email management has become a necessity in today’s digital world. To address this need, email services categorize incoming messages into different tabs or folders, helping users streamline their...
We are delighted to announce that Vercom S.A., the company behind the EmailLabs project, has successfully completed the ISO 22301 certification process. This significant achievement underscores our commitment to...
EmailLabs, as part of the Vercom group, proudly announces its full commitment to aligning its ICT services with the latest cybersecurity standards. In response to dynamically changing regulations, the...
Best practices, Compliance & Security
As we step closer to a digitally connected future, ensuring inclusivity in our marketing strategies is more important than ever. Email, a cornerstone of digital communication, must evolve to...
We are pleased to announce that MessageFlow, a product from the Vercom S.A. group, has received the prestigious CSA (Certified Senders Alliance) Certification. This recognition not only underscores the...
The increasing number of phishing attacks each year, and the projection that this trend will continue to escalate, aren’t likely to astonish anyone. This can be attributed, in part,...
Do you ever wonder how many people actually open the emails you send? Knowing the number of people who open your emails is essential for understanding the effectiveness of...
Gmail has become a cornerstone of modern email communication, offering a dynamic platform that caters to both personal and professional needs. Since its inception in 2004, Gmail has consistently...
EmailLabs, as part of the Vercom group, proudly announces its full commitment to aligning its ICT services with the latest cybersecurity standards. In response to dynamically changing regulations, the...
Email deliverability is a cornerstone of effective digital marketing. It ensures that your carefully crafted messages reach the intended recipients’ inboxes rather than being relegated to spam folders. Google...
Best practices, Deliverability
Do you know why some of your emails end up in the spam folder while others fail to reach recipients altogether? The answers lie in two critical concepts in...
Best practices, Email Authentication
Email headers may seem like a cloud of confusion, but fear not! In this ultimate guide, we will break down email headers and make them crystal clear. We’ll start...
Does your inbox feel like a never-ending to-do list? Are you spending more time sorting emails than actually working? You’re not alone. Millions of professionals struggle with email overload,...
Apple Mail, Email Marketing, Gmail
Efficient email management has become a necessity in today’s digital world. To address this need, email services categorize incoming messages into different tabs or folders, helping users streamline their...
We are delighted to announce that Vercom S.A., the company behind the EmailLabs project, has successfully completed the ISO 22301 certification process. This significant achievement underscores our commitment to...
Do you ever wonder how many people actually open the emails you send? Knowing the number of people who open your emails is essential for understanding the effectiveness of...
Gmail has become a cornerstone of modern email communication, offering a dynamic platform that caters to both personal and professional needs. Since its inception in 2004, Gmail has consistently...
EmailLabs, as part of the Vercom group, proudly announces its full commitment to aligning its ICT services with the latest cybersecurity standards. In response to dynamically changing regulations, the...
Email deliverability is a cornerstone of effective digital marketing. It ensures that your carefully crafted messages reach the intended recipients’ inboxes rather than being relegated to spam folders. Google...
Best practices, Deliverability
Do you know why some of your emails end up in the spam folder while others fail to reach recipients altogether? The answers lie in two critical concepts in...
Best practices, Email Authentication
Email headers may seem like a cloud of confusion, but fear not! In this ultimate guide, we will break down email headers and make them crystal clear. We’ll start...
Does your inbox feel like a never-ending to-do list? Are you spending more time sorting emails than actually working? You’re not alone. Millions of professionals struggle with email overload,...
Apple Mail, Email Marketing, Gmail
Efficient email management has become a necessity in today’s digital world. To address this need, email services categorize incoming messages into different tabs or folders, helping users streamline their...
We are delighted to announce that Vercom S.A., the company behind the EmailLabs project, has successfully completed the ISO 22301 certification process. This significant achievement underscores our commitment to...
Do you ever wonder how many people actually open the emails you send? Knowing the number of people who open your emails is essential for understanding the effectiveness of...