logo main
  • En
    English
    Portuguese
    Spanish
    • Log inGet started free

    ALBATO DATA TRANSFER IMPACT ASSESSMENT

    ALBATO SERVICES

    Albato Limited, Cyprus, HE 420916, email: cyprus@albato.com (“Albato”, “we”, “Processor”), provides subscription to its Software as a Service (Saas) product/services, being a no-code solution for automatization of your (“you”, “Customer”, “Controller”) workflow by integrating different applications. We provide standard and custom subscriptions as well as embedded subscription services.

    DATA PROCESSOR

    While providing services we act as Processor for our customers. The Customer acts as Controller, who determines the purposes and means of the processing of personal data as well as types of personal data.

    PERSONAL DATA PROCESSED

    The personal data we process may include name, company name, email, phone number, and other data as may be requested by the Controller, including by using Albato interface to upload personal data, and may vary depending on a concrete customer use case. Personal data uploaded by a customer may include customer’s own data as well as that of customer’s clients, end-users, employees, suppliers, etc. Customer is solely responsible that relevant personal data it uploads and/or process via Albato is uploaded legally and a customer have legal ground to process it.

    GENERAL ASSESSMENT

    Please take into account that this assessment document contains general rules applicable to all our customers, but each customer specific use case shall be also assessed by a customer on its own, including using legal advice, as assessment is dependent on the context of personal data involved and types of processing.

    GDPR INTERNATIONAL TRANSFER RULES. SCHREMS II RULING.

    GDPR says in Article 45 that a transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation as provided for in GDPR Article 45(1) and recital 103 of Regulation (EU) 2016/679.

    On 16 July 2020, the Court of Justice of the European Union (CJEU) issued its ruling in the “Schrems II” case. In that ruling, the CJEU invalidated the EU-U.S. Privacy Shield framework as a mechanism for lawful transfers of personal data from the EU to the U.S. So transfer of personal data from EU to the USA no longer fell under Article 45 of GDPR.

    Following Schrems II and the European Data Protection Board recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data the following six steps were elaborated and recommended to transfer impact assessment:

    Step 1: Identify international data transfers.

    Step 2: Identify data transfer mechanism(s).

    Step 3: Assess the laws or practices of the third countries.

    Step 4: Adopt supplementary measures.

    Step 5: Adopt necessary procedural steps.

    Step 6: Re-evaluate

    Also following the Schrems II judgment, the European Commission entered into talks with the U.S. government with a view to a possible new adequacy decision that would meet the requirements of Article 45(2) of Regulation (EU) 2016/679 as interpreted by the Court of Justice.

    THE EU-U.S. DATA PRIVACY FRAMEWORK (DPF)

    The EU-U.S. DPF (or “DPF”) is based on a system of certification by which U.S. organisations commit to a set of privacy principles - the ‘EU-U.S. Data Privacy Framework Principles’. To be eligible for certification under the EU-U.S. DPF, an organisation must be subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT). EU-U.S. DPF organisations are required to re-certify their adherence to the Principles on an annual basis

    Following Schrems II decision and ss a result of discussions with European Commission, the United States on 7 October 2022 adopted Executive Order 14086 ‘Enhancing Safeguards for US Signals Intelligence Activities’ (EO 14086), which is complemented by a Regulation on the Data Protection Review Court issued by the U.S. Attorney General (AG Regulation). In addition, the (EU-U.S. DPF has been updated.

    The European Commission has carefully analysed U.S. law and practice, including EO 14086 and the AG Regulation. Based on the findings, the Commission concluded that the United States ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or a processor in the Union to certified organisations in the United States. This was stated in the Commission Implementing Decision on 10.07.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework This Decision has the effect that personal data transfers from controllers and processors in the Union to certified organisations in the United States may take place under GDPR without the need to obtain any further authorisation.

    ALBATO INTERNATIONAL DATA TRANSFER

    Albato makes international transfers of personal data indicated in Section 3 above, the list and volume of data is determined based on the instructions of the customer. Transfer is made, as applicable, based on the relevant data Protection Agreement and Standard contractual clauses. As Albato is hosted on Amazon Web Services, and the storage location is in the U.S. The current U.S. legislation analysis is made, inter alia, pursuant to the Commission implementing decision 10.07.2023. In addition to legal agreements Albato also takes up-to-date technical and organizational measures to ensure safety of personal data. The international data transfer is only carried out to the sole third party - Amazon Web Services, Inc., which is certified under EU-US Data Privacy Framework.