French Court: Use Of Vendor With U.S. Parent May Require Additional Security Measures

Fox Rothschild LLP

Fox Rothschild LLP

Even in the absence of a cross-border transfer of personal data from the European Union to a third country, if you are using a vendor that has a U.S. parent company, get ready to implement supplementary measures, says the French Conseil d'Etat in an interim decision.

The case involved the management of vaccination appointments (which include personal data), facilitated by a French company, Doctolib, that hosts its data using AWS Sarl (a Luxembourg company) in France and Germany. The contract did not include any transfers to the U.S., including not for technical reasons, but AWS Sarl is a subsidiary of U.S. company AWS.

According to the Court

Even though there is no transfer, the criteria applied by the Court of Justice of the European Union in Schrems II mean that controllers must analyze the level of protection provided to data processing and risk of surveillance by the U.S. authorities under FISA 702 and EO12333 just by virtue of the fact that the EU AWS entity is a subsidiary of the U.S. AWS entity, which is subject to the laws of the U.S. (a "third state" that hasn't' been granted adequacy).

Therefore, a risk assessment with potential supplementary measures must be adopted.

In this case, the measures adopted are sufficient to allow the continued relationship because:

  • No special category (sensitive) data is involved.
  • The data is deleted after three months at most.
  • Each person who created an account can delete it themselves online.
  • The agreement between Doctolib and AWS establishes a precise procedure in the event of access requests by a public authority and requires Doctolib to contest any general requirements or one that doesn't comply with EU regulations.
  • Doctolib has set up a device for securing data hosted by AWS through an encryption procedure based on a trusted third party located in France which prevents data from being read by third parties.

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Fox Rothschild LLP | Attorney Advertising

Written by:

Fox Rothschild LLP

Fox Rothschild LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.