Supplementary measures following Schrems II [2]

How AskCody continues to Protect Personal Data based on EDPB recommendations on supplementary measures following Schrems II [2]

This article is written based on an E-book with the same topic and content. The sections of the E-book is marked with direct links in the following. 

Sections of this article: 




The European Data Protection Board has published updated guidance with recommendations on the supplementary measures, to ensure compliance processing data following the ruling by the Court of Justice from the European Union. This eBook is AskCody’s response providing our customers confidence that your data is still safe with AskCody and that AskCody is still processing personal data complying with GDPR.

Since the ruling from the Court of Justice from the European Union (CJEU) on the EU-U.S. Privacy shield in July 2020 following the Schrems II, questions have been raised by the industry on data protection and potential non-compliant transfer of data from the EU to third countries.

Because of this, we have found ourselves forced to clarify and document, even further, how we protect our customers, their users, and their data, to ensure that all contractual agreements between AskCody and customers are withheld and still comply with the EU GDPR requirements on data processing, based on the new ruling and the follow-up guidance published in November 2020.

The EDPD’s recommendations; what do the recommendations say?

The EDPB’s recommendation's on supplementary transfer measures aim to assist both controllers and processors in their role as data exporters with their duty to identify and implement appropriate supplementary measures where appropriate. The EDPB has laid out a ‘roadmap’, comprised of six steps, which should be taken by data exporters when determining whether supplementary measures must be put in place for a certain data transfer:

  1. Know your transfers;
  2. Verify the transfer tool your transfer relies on;
  3. Assess the law or practice of the third country, in the context of your specific transfer;
  4. Identify and adopt the necessary supplementary measures, if necessary;
  5. Take any formal procedural steps for the adoption of the necessary supplementary measures identified; and
  6. Re-evaluate, at appropriate intervals, the level of protection of the data transfer.

If the legal assessment reveals that the recipient third country’s legislation impinges on the effectiveness of the Article 46 GDPR transfer safeguards relied upon, data exporters must identify and adopt supplementary measures, as they are required to provide a standard of protection for the data that is essentially equivalent to that provided by EU law.

Bottomline - the United States, which holds AskCody's sub-processors with Microsoft being a US-based Company, does not live up to the four essential guarantees put forth by the EDPB, and supplementary measures must therefore be put in place.

The supplementary measures appropriate in each case will depend on several factors, including the nature of the data transferred and the possibility that it may be subject to onward transfers.

Examples of supplementary measures provided by the Recommendations include:

  • Technical measures: such as forms of encryption, with encryption keys kept beyond the reach of relevant public authorities, and pseudonymization that does not permit re-identification of data.
  • Additional contractual measures: such as obligations to implement the technical measures discussed above, transparency obligations regarding the level of access available to government authorities in the recipient authority and the measures taken to prevent access to personal data, and reinforced power for the data exporter to conduct audits of the data importer. Data exporters should also consider contractually requiring data importers to review the legality of any access requests received and to challenge such requests where appropriate.
  • Organizational measures: such as the adoption of internal policies with clear allocation of responsibilities for data transfers and operating procedures in the event of an access request, transparency and accountability measures including documentation of access requests, and ensuring data minimization.

Supplementary measures may have a contractual, technical, or organizational measure. Due to the legislation in for instance the US, we cannot solely rely on contractual and organizational measures and have therefore implemented further technical measures.

Ensuring EU compliant protection of personal data and preventing non-compliant third-country data transfer

One of the fundamental requirements of the GDPR is to ensure that the processing of personal data is thoroughly documented, and any transfer of data is only conducted as described in data processing agreements between data controllers and data processors.

Even before the ruling by the CJEU, AskCody had both contractual (SCC), technical safeguards, and organizational measures implemented to ensure that data processing complied with the requirements of the GDPR. Neither AskCody nor our sub-processors relied on the EU-U.S. Privacy Shield framework alone.

According to the European Data Protection Board (EDPB) guidance published in November 2020, data processors (or data exporters) should implement both contractual and technical safeguards to limit non-compliant third-country data transfers.

AskCody’s technical safeguards and organizational measures are described in our Information Security Policy and contractual safeguards are documented in DPAs with customers, along with DPAs we make with our sub-processors.

Data processing for European customers and users in Europe

AskCody comes as Software-as-a-Service that is built on Microsoft Azure and hosted in the Microsoft Azure cloud. For European customers and users of AskCody personal data is processed in Europe in our selected data centers and regions. For European customer with

AskCody, we use Microsoft’s data centers in Ireland and Amsterdam.

This makes Microsoft in Ireland and Amsterdam AskCody’s primary sub-processor for hosting and processing customer and personal data as describes in our DPA and in our further documentation found in our Help Center.

Contractual measures and updates to the DPA with Microsoft

With Microsoft as our primary partner and primary sub-processor of the customer and personal data, this guidance is primarily focusing on how we ensure compliance with Microsoft.

To comply with the requirement that data processing is based on a contractual basis, we have a DPA with Microsoft that ensures that Microsoft only processes data according to AskCody’s specifications and instructions. According to the DPA Microsoft is not allowed to process AskCody’s data (and our customer’s data) in other means than described in the DPA and technical configurations of Microsoft Azure services used by AskCody, without our consent.

Following this, Microsoft incorporates and implements a series of organizational, contractual, and technical requirements and measures according to a range of privacy and security standards and regulations, such as ISO 27001 and 27018, to which Microsoft is audited every year. These audits done by third parties on Microsoft and its data centers in Ireland and Amsterdam, confirming that Microsoft complies with these standards and legislative requirements, are made available yearly. By using e.g. the ISO 27001 and 27018 as references, Microsoft ensures that data will not be processed on our behalf without our consent, such as transferring data outside of regions that we have selected (EU/Ireland & Amsterdam).

As part of AskCody’s risk assessment and focus on complying with GDPR, including fulfilling up to our commitment to provide an ISAE 3000 report yearly, these audits by Microsoft are also audited by us and our advisors, as part of our risk assessment and internal ISAE 3000 Audit, where potential deviations are documented and influence potential risks, are being evaluated.

On the 21st of July 2020, Microsoft further enhanced the Data Processing Agreement with AskCody, to ensure that standard contractual clauses would overrule the EU-U.S. Privacy Shield Framework - to eliminate any confusion that the DPA would be invalidated by the CJEU ruling. This has already been implemented between AskCody and Microsoft.

By mid-November 2020, Microsoft provided an addendum to the Data Processing Agreement with AskCody to respond to the European Data Protection Board (EDPB) guidance with new commitments that demonstrate the strength of Microsoft’s conviction to defend personal data. These new commitments assure us, and AskCody customers, that Microsoft is striving to protect the confidentiality of personal data and continue to comply with EU GDPR requirements for data protection and processing.

As part of the new announcement from Microsoft, Microsoft is demonstrating that they, as our primary sub-processer of personal data, provide strong protections for our customers’ data, and are being transparent about their practices and how they defend customers’ data. The response to the EDPB draft recommendations and the additional steps taken by Microsoft is providing our customers added confidence about their data and compliance with GDPR based on the ruling from the Court of Justice from the European Union (CJEU) on the EU-U.S. Privacy shield in July 2020.

The announcement from Microsoft includes two important changes:

  • First, Microsoft are committed that they will challenge every government request for customer and personal data – from any government – where there is a lawful basis for doing so. This strong commitment goes beyond the proposed recommendations of the EDPB.
  • Second, Microsoft will provide monetary compensation to these customers’ users if they disclose their data in response to a government request in violation of the EU’s General Data Protection Regulation (GDPR). This commitment also exceeds the EDPB’s recommendations.

Microsoft calls these protections Defending Your Data. Defending Your Data makes a substantial addition to Microsoft’s foundational privacy promises, and builds on the strong protections they already offer customers like AskCody, including some important updates, like:

  • Using strong encryption: Microsoft is encrypting customer data with a high standard of encryption both when it is in transit and at rest (AES 256 & FIPS-140-2 Level 3 on HSM Azure Key Vault). Encryption is a critical point in the draft EDPB recommendations. Microsoft is committed to not provide any government with encryption keys or any other way to break the encryption.
  • Standing up for customer rights: Microsoft does not provide any government with direct, unfettered access to customer data. If a government demands customer data from Microsoft, it must follow the applicable legal process. Microsoft is committed to only comply with demands when we are clearly compelled to do so. The first step in that process is always to re-direct such orders to customers and data subjects or to inform them, meaning no personal data can be compromised or accessed by any government from third countries with the request for data is being redirected to the customer and data subject related to that request.
  • Being transparent: Microsoft have, for many years, published information about government demands for customer data and personal data. Microsoft sued the U.S. government over the ability to disclose more data about the national security orders they receive seeking customer data and reached a settlement enabling them to do so. As a result, twice a year, Microsoftdisclose more detailed information about these national security orders in addition to Microsoft’s regular Law Enforcement Request Report

 

Supplementary technical safeguards and measures taken by AskCody to comply with the EDPB guidance

Updating our Data Processing Agreement and adopting the Danish Data Protection Agency's Standard Contractual Clauses

AskCody is updating our standard Data Processing Agreement to be based on The Danish Data Protection Agency’s standard template (SCC) for Data Processing Agreements. The Danish Data Protection Agency is the independent authority that supervises compliance with the rules on the protection of personal data in Denmark.

Please find the Danish Data Protection Agency’s standard template here. Please reach out to AskCody to enter into the updated DPA.

Following the EDPB opinion (July 2019) on the draft standard contractual clauses (SCCs) for contracts between controller and processor submitted to the Board by the Danish Supervisory Authority (SA), the final text of the Danish SCCs, as adopted by the Danish SA, has been published in the EDPB's Register for Decisions taken by supervisory authorities and courts on issues handled in the consistency mechanism.

The new Data Processing Agreement is based on this standard processor agreement, which has been adopted by the Danish SA pursuant to art. 28(8) GDPR and aims at helping organizations to meet the requirements of art. 28 (3) and (4), given the fact that the contract between controller and processor cannot just restate the provisions of the GDPR but should further specify them, e.g. with regard to the assistance provided by the processor to the controller.

The possibility of using SCCs adopted by a SA does not prevent the parties from adding other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, the adopted clauses or prejudice the fundamental rights or freedoms of the data subjects.

We recommend that all AskCody customers adopt the updated Data Processing Agreement.

Using strong encryption and separating encryption keys and secrets on FIPS 140-2 Level 2 and Level 3 validated hardware security modules

The EDPB considers the encryption of AskCody to provide an effective supplementary measure if the personal data is processed using strong encryption before transmission if the encryption algorithm can be considered robust against cryptanalysis performed by public authorities, if the strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved, if the keys are reliably managed and if the keys are retained solely under the control of the data exporter.

To limit both Microsoft’s access (as a sub-processor to AskCody) or potential any government requesting access to data processed by Microsoft in Europe, to the customer and personal data in AskCody we have implemented a range of supplementary security measures. This ensures that even in the unlikely event that a non-compliant data transfer occurs, data will not be accessible in clear text and can be compromised.

As always, we encrypt all data during transfer and at rest using the AES 256 standard.

One of the recommendations put forth by the EDPB is that data importers (residing in a non-EU country) must not be in possession of the cryptographic keys. This is to further limit the possibility of third-parties access to data if non-compliant data transfer to third countries occurs without consent.

To follow this recommendation from the EDPB, AskCody is using HSM Azure Key Vault used to hold all encryption keys and secrets used in AskCody

The HSM Azure Key Vault is designed so that Microsoft (or any government) cannot see or extract data (encryption keys or secrets), by storing encryption keys in FIPS 140-2 Level 2 and Level 3 validated hardware security modules (HSMs). This ensures that encryption keys used to protect personal data are only accessible to AskCody within the EU, and thus, will enable us to comply with the recommendations put forth by the EDPB.

With these technical and contractual safeguards in place, we can provide our customers confidence that AskCody is committed to following the recommendations by the EDPB to comply with the EU GDPR.

Risk Assessment

As part of the supplementary measures implemented as a response to the EDPB's recommendations of Organizational Measures, a Risk assessment is further conducted in relation to sub-processors and their compliance. This has always been a part of AskCody's information security policy but is extended to also cover sub-processers compliance with ISO 27001 and 27018.

The risk assessment is constructed from an evaluation of the risks that are associated with the handling and processing of personal data with our sub-processors, along with the consequences in regard to data availability, confidentiality, and data integrity. Procedures are documented and implemented based on the risk assessment in relation to handling activities with processors of data, as well as service suppliers related to the processing of personal data.

Following the new ruling from the EDPB, a new risk assessment of Microsoft's practices and ISO 270018 has been conducted, where no nonconformities were found, hence we conclude this risk assessment with the ruling that Microsoft have implemented sufficient supplementary measures, for us to continue the transfer of data.

Pseudonymization

Throughout our platform, we pseudonymize personal data. We do not keep personal data outside of production environments, nor in our logs, but are instead reliant on pseudonymized data in order to obtain and keep the confidentiality and integrity of our services. This is a requirement for all processing internally. Every type of processing consists of steps enforced in AskCody’s Secure Software Development policy, which requires written approval for all developers, and feedback is given to developers.

At AskCody, we only transfer personal data in such a manner that the personal data can no longer be attributed to a specific data subject, while additional information is held exclusively by the Data Processor (us) and stored separately. This is deemed as an effective supplementary measure by the EDBP.

Additionally, the Data Processors (AskCody) must ensure that the Data Processor retains sole control of the algorithm that enables re-identification using the additional information kept separately, while, ensuring that pseudonymized personal data cannot be attributed to an identifiable person if cross-referenced with the additional information. This is as well deemed as an effective supplementary measure. by the EDPD.

As part of our Secure Software Development Policy, we have highlighted the following instances in terms of how we are ensuring pseudonymization:

  • Confidential data is never used in the development and test environments
  • Datastores containing Personal Data must be inaccessible to applications and services that do not need to access it. We distinguish between production, test, and development environments with regards to this rule, making sure that data store instances in one environment are only available to applications and services within that same environment.
  • Only our production environment is allowed access to Personal Data related to our customers. Other environments are not!
  • Additionally, we limit access to Personal Data to only those applications and services that need it.
  • All applications and services must document which types of data it operates on and categorize it into sensitive/insensitive information
  • All Personal Data must be identifiable as such throughout our codebase, data stores, and infrastructure, across all our applications and services.
  • All applications must log according to the data they operate on
  • Actions that add, edit, or delete Personal Data, taken by any AskCody user in any AskCody product, are referred to as Personal Data Actions. Such Personal Data Actions must always be automatically logged.
  • Actions involving non-personal data are not required to be logged per default. Personal Data Actions 
  • Logs contain no personal data
  • Log entries about personal Data Actions must not themselves contain any Personal Data. The exclusion of personal data in log entries must be handled automatically.
  • Logs that are no longer needed for any purpose, are deleted after an appropriate retention period
  • Automatic deletion of all log entries that no longer serve any purpose is implemented during product development.
  • Implement logging and security according to identified types
  • During planning, design, and implementation of work, we must identify all data types which the service will interact with, which is either Personal Data or is relevant from a security perspective. System operations and user actions that process this data must be logged, and adequate security measures must be implemented to ensure that legal and security-related requirements are met.

Transparency and accountability measures

Since any transfer of personal data to third countries relies on the use of sub-processors, we uphold and access these sub-processors transparency and request reports as part of our internal control procedures and risk assessment.

Microsoft have, for many years, published information about government demands for customer data and personal data. Twice a year, Microsoft disclose more detailed information about these national security orders in addition to Microsoft’s regular Law Enforcement Request Report

 

As part of our Secure Software Development Policy, we have highlighted the following instances:

  • Sensitive Personal Data is not processed, except when legally sanctioned
  • Though we have no control over the actual data entered into our data stores through our applications and services by users of our products, we must never request the disclosure of Sensitive Personal Data from anyone, in any way, in any AskCody application or service. Since we currently have no use for Sensitive Personal Data, there is currently no need to ever have processing rights legally sanctioned either.
  • Registered individuals are provided with transparent and adequate information about the processing of their respective personal data

Data Minimization measures

Data minimization measures include assessing the need-to-know basis for data transfer, meaning assessing if a certain data transfer is necessary for specific types of cases.

We have a strict contractual legal basis for data transfer between our subprocessors and AskCody. Data minimization in this regard relies on both a DPA between our subprocessors and us and a thorough risk assessment of all subprocessors every year. On this basis, our subprocessors only process the data needed to supply the service we need from them. A full description of each data type that our subprocessors process can be found in our DPA.

Other technical or organizational measures implemented

  • Information Security Policy (and Controls)
  • Third-party audit and compliance report

In AskCody, the following Internal policies and organizational methods are implemented:

  • Information Security Policy, including:
    • Log for any changes to this policy
    • Asset Management
    • Risk assessment and treatment
    • Human Resource security and Information Security Awareness
    • Operation Management (Service Level Management, Backup & Recovery, Secure erase)
    • Access Control (Device access control, Security measures and requirements on registered devices, Password security, Management of employee access rights, Privileged user management)
    • Inhouse Application Security (application logging and data analysis)
    • Incidents Management
  • Secure Development Policy
  • Annual third-party audit
  • Implemented controls and spot checks accordingly the audit framework (which is audited on a yearly basis)

This ensures consistency in the protection of personal data during the full cycle of processing. These organizational measures also improve the awareness of risks.

Information Security at AskCody is achieved by implementing a suitable set of controls and standards, including policies, processes, communication channels, procedures, organizational structures, software, and hardware systems, which enable and empower us to achieve the right level of Information Security.

These controls and standards need to be established, implemented, monitored, reviewed, and improved, where necessary, to ensure that the specific security and business objectives of AskCody, our partners and customers, users, and purposes of the data protection law are met.

Therefore, we have implemented an Information Security Policy that helps us achieve the highest standards of Information Security, fulfill, and meet the requirements from the market while allowing us to comply with legislation.

Supplementary measures not implemented by AskCody

Multi-party processing

If, prior to transmission of personal data to a sub-processor, this data is split in such a way that no part an individual processor receives lets them reconstruct personal data in whole.

This however does not apply to AskCody, since we cannot send for instance half of an email address or half of a phone number and expect it to be received and processed.

Technically this does not make sense - instead, we are relying on the other mentioned supplementary measures.

Binding Corporate Rules

Binding corporate rules (BCR) are data protection policies adhered to by companies established in the EU for transfers of personal data outside the EU within a group of undertakings or enterprises. Such rules must include all general data protection principles and enforceable rights to ensure appropriate safeguards for data transfers. They must be legally binding and enforced by every member concerned of the group.

AskCody have not set BCR's since we are relying on the technical and organizational measures set in place to uphold our Third-party audit and compliance report. In relation to BCR as a supplementary measure, we have not deemed it relevant due to the following reasons:

  1. We have a number of other contractual measures in place, where BCRs would only be adding to - and since the Schrems II ruling has deemed it necessary to have more than organizational and contractual measures set in place, we are relying on the measures that make up our Information Security Policy and control activities, and simultaneously implementing and relying on SCC.
  2. Binding Corporate Rules ensure the following: that GDPR compliance is attained (1), personal data processing principles are respected, data subject rights are ensured (2), legal grounds for lawful processing are in place (3), data practices are streamlined (4). We ensure this part through our work with our Information Security Policy, where all work with compliance in AskCody arises from.
  • GDPR compliance is attained: Upheld through our work with our Information Security Policy, Awareness activities, Third-party audit, Risk assessment, secure Development policy, etc.
  • Personal Data Processing principles are respected, and Data Subject rights are ensured: Ensured through the principles that make up our Secure Software Development Policy.
  • Legal grounds for lawful processing are in place: A built-in consent flow on our platform ensures that a customer cannot sign up to our platform, and hence have their data processed unless they sign our DPA based on the EDPB's Standards Contractual Clauses.
  • Data practices are streamlined: Ensured through our Secure Software Development Policy, followed to T. This section ties our information Security Policy Control Procedures and Activities to a set of rules and guidelines that the Development Team must adhere to during its everyday work, on a tactical and operational level. Each rule intentionally matches an implementation requirement in our Information Security Policy and Rules.
  • This policy aids the Development Team in continually and gradually enhancing existing business applications, during the design and implementation of new work.
  • All members of the Development Team must know this set of rules and guidelines and must follow all of them during product development.

Final thoughts and comments implementing supplementary measures following Schrems II

At AskCody, we seek to educate our customers and partners on our platform, integrations, architecture, data processing, and security to help build trust and certainty around what we do and how we do it.

As always, information, being Personal Data, is an asset that, like other valuable business assets, is essential to AskCody business and consequently needs to be suitably protected. In this case, suitably means legally protected and in compliance with GDPR.

Since the ruling from the Court of Justice from the European Union (CJEU) on the EU-U.S. Privacy shield in July 2020 following the Schrems II, and the EDPB’s recommendation's on supplementary transfer measures following Schrems II with the aim to assist both controllers and processors in their role as data exporters with their duty to identify and implement appropriate supplementary measures where appropriate, we have further documented what we are doing, how personal data is processed and being transferred, and how it’s being protected, so it aligns with the EDPB ‘roadmap’, comprised of the six steps explained in the eBook, which should be taken by data exporters when determining whether supplementary measures must be put in place for a certain data transfer.

We sincerely hope that this further documentation on implemented supplementary measures provides you with clarity and confidence, that we are doing our very best to stay at the forefront and stay compliant with the EU GDPR requirements on data processing, based on the new ruling and the follow-up guidance published in November 2020.