Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our services based on our know-how and technology. Confirmation of the care for information security is the successfully completed certification audit and supervision audit of the Information Security Management System according to the ISO/IEC 27001:2013 standard, the scope of which concerns the ‘Creation, maintenance and development of electronic communication solutions, including SMS emails, pushes in the CPaaS model’. We are also preparing for an audit in the area of ISO 27018 Cloud data security.
Is the use of foreign, especially American, solutions such as smtp, email api safe and what does this mean for controllers? Do you transfer personal data such as your clients’ e-mail addresses outside the EEA? – Be sure to read our study.
As far as transfers outside the EEA are concerned, countries can be divided into two basic groups: countries for which the European Commission has issued a decision establishing an adequate level of data protection, and countries for which no such decision has been issued. In the case of countries for which a European Commission decision has been issued, the transfer of data to them can, in principle, be treated as equivalent to an intra-EEA transfer. However, the USA is not included in this group of countries. On 16 July 2020, the Court of Justice of the EU, in the case of Data Protection Commissioner v. Facebook Ireland Ltd and Maximillian Schrems (the so-called Schrems II case), ruled that the Commission’s decision for the USA, the so-called Privacy Shield, does not meet the adequacy requirement and does not comply with the GDPR.
This means that additional prerequisites must be met in order to transfer data to the US, in particular:
The so-called standard contractual clauses may be used in an agreement with the US processor and, in addition, the legislation of that country may be examined, determining whether it provides an adequate level of protection (as indicated in the cited Shrems II judgement). The Shrems II judgement determines that US legislation does not provide such protection.
Therefore, in accordance with the guidelines of the European Data Protection Board, when transferring data to the USA, the service provider should be required not only to conclude a processing entrustment agreement based on standard contractual clauses, but also to provide additional safeguards (inter alia adopting and documenting technical measures ensuring more adequate protection by making the data more difficult to access, e.g. encryption, pseudonymisation, further monitoring of changes in third country legislation).
If the above conditions are not met, it is exceptionally possible to invoke additional, specific consent of the data subject for the transfer of data outside the EEA or grounds other than the consent, which, however, are not widely used in practice (Article 49 of the GDPR).
If these conditions are not met, sharing personal data with a US supplier should be considered illegal and giving rise to a risk of penalty.
| EOG | Outside the EEA (refers to countries for which there is no appropriate European Commission decision, including the USA) | |
|---|---|---|
| What needs to be investigated before entrusting? | Verifying whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security (Article 28 of the GDPR) | Verifying: – whether the processor guarantees the processing of personal data in accordance with the law, including ensuring their adequate security(Article 28 of the GDPR) – a multi-level legal analysis of the admissibility of the transfer of data to a specific country (Article 44 et seq. of the GDPR). In the case of the USA, it is most often necessary to investigate whether: – the supplier’s agreement is based on standard contractual clauses, and – the supplier provides additional data protection measures. Alternatively, it is possible to transfer data after obtaining specific consent or meeting other prerequisites of Article 49 of the GDPR, which are not often used in practice. |
| Protection measures | No obligation to implement additional protection measures (standard level of protection adequate to the risk). | The requirement to implement additional protection measures by: – identifying all personal data processing operations to a third country, – verifying whether, in the context of a specific operation, the processing outside the EEA could adversely affect the effectiveness of the applied security measures, – adopting technical measures which are necessary to ensure that the level of protection of transferred data in a country outside the EEA is adequate to that guaranteed under the GDPR (e.g. pseudonymisation, encryption, etc.), – monitoring changes in the legislation of a given country and reacting to the changes by introducing additional security measures in the agreement with the processor. |
| Information obligations towards data subjects | No additional information obligations. | The need to inform users of the company’s services of the intention to transfer data to third countries (as a result of cooperation with an entity processing data in a country outside the EEA), together with an indication of the safety measures applied and information on whether or not the European Commission has recognised an adequate level of protection. |
| Possible penalty for violation | Possible breach of Article 28 of the GDPR, which is punishable by a fine of up to EUR 10,000,000 or up to 2% of its total annual worldwide turnover from the previous financial year. | Possible violation of both Article 28 and additionally Article 44 et seq. of the GDPR. Punishable by a fine of up to EUR 20,000,000 or up to 4% of its total annual worldwide turnover from the previous financial year. |
| Internal documentation concerning personal data processing | No additional obligations. | The need to include additional entries in the Register of Processing Activities and to perform the analyses indicated above. |
| Enforceability of claims against the processor | Possibility to enforce claims based on Polish law and EU law with regard to cross-border disputes. | The actual possibility of enforcing claims varies from country to country. There is a risk that the litigation cannot be conducted in Poland and on the basis of Polish law (or EU law), or that the judgement of a Polish court may not be recognised in a country outside the EEA. |
As you can see, there are many aspects to consider when planning to use foreign solutions to process Customer data. It is worth being aware of the differences in order to avoid unpleasant consequences and to prepare appropriately in procedural and legal terms.
The material was prepared with the assistance of attorney Maciej Jankowski, a partner of the law firm Media. The attorney’s areas of expertise include, among others, new technology law, including intellectual property law, personal data protection law and specific aspects of telecommunications law.
Managing Director EmailLabs
Graduate of the University of Economics in Poznan. Since 2010, she has been actively involved in new technologies and the IT industry. At Vercom S.A., the CPaaS market leader in this part of Europe, she manages the EmailLabs service. Privately, she is interested in behavioral economics and news from IT and cyber-security.
See more articles
How Apple Mail privacy updates affect email open rates? Although the new privacy policy for Apple users was already introduced in September 2021 (with the launch of iOS 15...
Best practices, Dobre praktyki, Transactional Emails
mBank was the first bank in our country to declare war on cybercriminals’ activities and implement sender authentication in the most popular mailboxes used by their customers. These solutions...
Sociotechnic, or in other words social engineering, is any action that influences another individual in order to persuade him to take certain actions, which may not be in his...
Best practices, Converion Rate, Dobre praktyki
Promotional emails usually contain a significant amount of information – we are talking here not only about the content, but also graphics presenting the products covered by the promotion,...
Ignoring the mistakes made in previous years and failing to learn the right lessons are the main ‘sins’ of marketers preparing campaigns for Black Friday – a day considered...
Vercom S.A. public company, to which the EmailLabs project belongs, has successfully completed the ISO 27001 Surveillance Audit and ISO 27018 Certification. Both audits confirm that organization’s information security...
We’re launching our CyberLabs series on the latest news from the cybersecurity world. Based on practical examples, our pentester will give tips on how to prepare for potential threats...
Antispam, Best practices, BIMI
The AuthIndicators Working Group (BIMI Group) recently announced that Apple systems such as iOS 16, iPadOS 16, and macOS Ventura will support BIMI starting this fall. Thus, the infographic showing...
Email marketing communication needs to be properly handled to be effective. Apart from technical matters, building positive subscriber engagement with email communication is very crucial. Nowadays, consumers feel overwhelmed...
An ESP (Email Service Provider) is a software-based service for email distribution, often based on its servers, optimized for high (mass) traffic. Many of them enable integration with CRM...
Best practices, Deliverability
What is email deliverability? While talking to eCommerce store owners, marketing specialists, or reading various reports on email communication, you may often get the impression that the main criteria...
Vercom, to which EmailLabs belongs, is a European company, fully compliant with the provisions of GDPR and based solely on its own servers located in CEE. We provide our...
With the emergence of the Covid-19 pandemic, many brands have been challenged to adapt in a short period to the changed reality and new consumer attitudes. That meant reorganizing...
How to avoid having my messages stopped by the spam filter? Your customers’ inbox certainly has protection set up to prevent unwanted emails. However, to pass their validation, you...
Converion Rate, Dobre praktyki, Open Rate
For many years, one of the most frequently monitored metrics of the effectiveness of email campaigns has been the open rate, i.e. the ratio of messages opened to messages...
Email security is an essential element that every company needs to ensure during the era of evolving cybercrime. Attacks by hackers on business entities very often target precisely email...
