ALBATO DATA TRANSFER IMPACT ASSESSMENT

1. ALBATO SERVICES

Albato Limited, Cyprus, HE 420916, email: cyprus@albato.com (“Albato”, “we”, “Processor”), provides subscription to its Software as a Service (SaaS) product/services, being a no-code solution for automation of your (“you”, “Customer”, “Controller”) workflow by integrating different applications. We provide standard and custom subscriptions as well as embedded subscription services.

2. DATA PROCESSOR

While providing services, we act as Processor for our customers. The Customer acts as Controller, who determines the purposes and means of the processing of personal data as well as types of personal data.

3. PERSONAL DATA PROCESSED

The personal data we process may include name, company name, email, phone number, and other data as may be requested by the Controller, including by using Albato interface to upload personal data, and may vary depending on a concrete customer use case. Personal data uploaded by a customer may include customer’s own data as well as that of customer’s clients, end-users, employees, suppliers, etc. Customer is solely responsible that relevant personal data it uploads and/or processes via Albato is uploaded legally and that the customer has legal grounds to process it.

4. GENERAL ASSESSMENT

Please take into account that this assessment document contains general rules applicable to all our customers, but each customer’s specific use case shall also be assessed by the customer on its own, including using legal advice, as the assessment is dependent on the context of personal data involved and types of processing.

5. GDPR INTERNATIONAL TRANSFER RULES. SCHREMS II RULING.

GDPR states in Article 45 that a transfer of personal data to a third country or an international organization may take place where the Commission has decided that the third country, a territory, or one or more specified sectors within that third country, or the international organization in question ensures an adequate level of protection. Such a transfer shall not require any specific authorization as provided for in GDPR Article 45(1) and recital 103 of Regulation (EU) 2016/679.

On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its ruling in the “Schrems II” case. In that ruling, the CJEU invalidated the EU-U.S. Privacy Shield framework as a mechanism for lawful transfers of personal data from the EU to the U.S. So, transfer of personal data from the EU to the USA no longer fell under Article 45 of GDPR.

Following Schrems II and the European Data Protection Board recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data, the following six steps were elaborated and recommended for transfer impact assessment:

1. Identify international data transfers.
2. Identify data transfer mechanism(s).
3. Assess the laws or practices of the third countries.
4. Adopt supplementary measures.
5. Adopt necessary procedural steps.
6. Re-evaluate.
   

Also, following the Schrems II judgment, the European Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice.

6. THE EU-U.S. DATA PRIVACY FRAMEWORK (DPF)

The EU-U.S. DPF (or “DPF”) is based on a system of certification by which U.S. organizations commit to a set of privacy principles - the ‘EU-U.S. Data Privacy Framework Principles’. To be eligible for certification under the EU-U.S. DPF, an organization must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). EU-U.S. DPF organizations are required to re-certify their adherence to the Principles on an annual basis.

Following the Schrems II decision and as a result of discussions with the European Commission, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). In addition, the EU-U.S. DPF has been updated.

The European Commission has carefully analyzed U.S. law and practice, including EO 14086 and the AG Regulation. Based on the findings, the Commission concluded that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organizations in the United States. This was stated in the Commission Implementing Decision on 10.07.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organizations in the United States may take place under GDPR without the need to obtain any further authorization.

7. ALBATO INTERNATIONAL DATA TRANSFER

Albato makes international transfers of personal data as indicated in Section 3 above. The list and volume of data are determined based on the instructions of the customer. Transfer is made, as applicable, based on the relevant Data Protection Agreement and Standard Contractual Clauses.

As Albato is hosted on Amazon Web Services (AWS), and the storage location is in the U.S., the current U.S. legislation analysis is made, inter alia, pursuant to the Commission Implementing Decision 10.07.2023. In addition to legal agreements, Albato also takes up-to-date technical and organizational measures to ensure the safety of personal data.

The international data transfer is only carried out to the sole third party - Amazon Web Services, Inc., which is certified under the EU-US Data Privacy Framework (https://www.dataprivacyframework.gov/s/participant-search).