Without being aware of it, many companies have been violating European privacy rules since this summer. Working with US cloud service providers is no longer covered by the GDPR rules. This is because the European Court of Justice has declared the Privacy Shield agreement invalid. The agreement regulates how the US handles processing of user data covering European citizens and was created to ensure you could continue to use cloud services provided by US companies. However, it now turns out the Privacy Shield is not sufficient after all.
The General Data Protection Regulation (GDPR) states that personal data may not be simply transferred to individuals or organisations based in countries outside the European Economic Area (third countries), such as the US. This is only allowed if the level of personal data security guaranteed by the GDPR is not undermined in those third countries. The Court of Justice holds that the Privacy Shield cannot guarantee an adequate level of protection. This is because, under US law, the intelligence and security services there have the right to access and use EU citizens' data.
Therefore, if you want to comply with the GDPR rules (and of course you must), it is no longer possible to store customer data with, or work with US cloud services. In short: If you work with research tools from the US, you are not working according to the GDPR rules. You may also be working with American parties without realising it. For example, if your suppliers process the data via American cloud services you are not working to the GDPR guidelines. To ensure you are doing the right thing, we recommend verifying all your suppliers to remain compliant.
Do you use Crowdtech technology? Then you’re covered. Our platform complies with the GDPR rules. We do not outsource our hosting to third parties. Our hardware is located in our data centre in Amsterdam and our technology is developed and maintained by ourselves. So, your data always stays within the EU and you comply with the GDPR rules.