Data Protection Day: Schrems II: The SME dilemma

15 years of Data Protection Day, 15 times reminding organizations across all industries and sizes about the important of data protection. Lately we’ve seen a lot of regulations like the GDPR or Schrems II, all small steps towards a proper data protection to secure personal data and give the topic the deserved recognition.

The European Convention on Data Protection was signed 40 years ago. This is why European Data Protection Day is celebrated every year on January 28. Data protection continues to pose major challenges for companies: With the ruling of the European Court of Justice in the Schrems II case, pressure is growing on small and medium-sized companies to re-evaluate their processes and procedures and adapt them to the regulations of the EU GDPR. Mareike Vogt, data protection expert at TÜV SÜD, takes a closer look at this current topic.

The EU GDPR stipulates that the transfer of personal data to a country outside the EU/EEA is only permitted, among other things, if the destination countries or organizations guarantee equivalent data protection to the European Data Protection Regulation (EU GDPR). The United States of America, for example, does not meet this requirement, which is why the EU Privacy Shield was overturned by the European Court of Justice (ECJ) in the Schrems II case. According to many experts, this was already foreseeable since the agreement was introduced. The policy’s negligence is now causing major difficulties for small and medium-sized enterprises (SMEs) in particular: They need to adapt their own processes and the software and hardware they use (for example, data centers) as quickly as possible.

New contracts or new providers?

In their day-to-day work, SMEs usually rely on software and as-a-service solutions from larger, established providers, or they adapt to the processes and requirements of their customers. To ensure that the personal data processed is protected in accordance with the ruling, all of this must now be reviewed. If SMEs have concluded standard contractual clauses as a guarantee with the service providers, it is possible that these will also be affected by Schrems II. Often, these clauses are not sufficient to protect personal data within the USA and further technical measures must be taken. In addition, an enormous amount of data, at first glance hidden behind sub-service providers, flows to the USA or is stored on servers there, even though the providers are actually a European company or have branches here. If the providers are not in a position to comply with the ruling, SMEs also have a duty to immediately look for new solutions or even provide the services themselves, for example “on premise”, e.g. via their own servers.

Related:   Normalising data leaks: A dangerous step in the wrong direction

External help compensates for shortage of skilled workers

Many SMEs are facing major challenges as a result of Schrems II. Those who fail to comply with the EU GDPR face stiff fines and public exposure by civil organizations, such as NOYB, that are dedicated to data protection. These do not shy away from putting companies in a digital pillory. Many companies also lack the appropriate specialists to implement the demands. However, there is a simple way out of this dilemma for SMEs: independent consultants and externally appointed data protection officers are approved and not only relieve the company itself, but also guarantee an objective assessment of the situation. With their help, even small and medium-sized companies can adapt their systems and processes to the new situation without too much effort.

More Information: The Schrems II decision: a milestone for privacy?

Data protection specialist at TÜV SÜD Sec-IT at

Mareike Vogt has been a data protection specialist at TÜV SÜD Sec-IT since 2018. As external Data Protection Officer (DPO), she advises companies on all issues related to data protection and data privacy, monitors their processes relevant to these areas and supports companies in their communications with supervisory authorities. Her area of expertise also covers advisory services, e.g. for internal data protection officers.

In 2020 Mareike Vogt was further appointed Data Protection Coordinator of TÜV SÜD Sec-IT. In this role, she supports management and is responsible for the internal implementation of data protection measures. Within the scope of her professional activities, she also gained certified qualifications as a data protection auditor and information security officer. Mareike Vogt laid the foundations for her activities as data protection specialist during her bachelor's and master's studies in law and economic sciences at Augsburg University.

Leave a Reply

Your email address will not be published. Required fields are marked *