On July 16th, 2020, the Schrems II decision by the CJEU (Court of Justice of the European Union) invalidated the EU-U.S Privacy Shield Framework as a method for transferring and protecting personal data lawfully outside the EU. If you have users in the EU and your website builder uses Privacy Shield, you may need to contact the website builder or add Standard Contractual Clauses into your agreement.
We recommend reaching out to your web provider/host to see if they can host your EU customer data on servers located in Europe or a country recognized by the EU Commission as offering adequate data protection.
The EU Commission has listed the following countries as offering adequate data protection: Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Switzerland and Uruguay. (These countries have been listed by the EU Commission as offering adequate data protection).
If your website builder can only host customer data within the United States and uses Privacy Shield, you will need to add Standard Contractual Clauses into your agreement.
SCCs are another method to transfer personal data lawfully outside the EU and ensure that personal data remains protected in accordance with EU law. They consist of non-negotiable language approved by the European Commission for agreements governing the transfer of personal data outside the EU.
However, following the CJEU decision, SCCs alone are likely not enough for compliance. Guidance suggests companies will need to conduct data transfer “risk assessments” and use “supplemental measures” (such as, but not limited to, encryption of data in transit, and contractual or policy commitments from your website builder restricting government access to data) will likely need to be implemented to transfer data lawfully to the U.S.