Invalidation of the Privacy Shield

Frequently Asked Questions

The Invalidation of the Privacy Shield is a recent decision that affects the way European companies operate in transferring data to the United States. We have answered some pressing questions you may have to keep you informed during this transition.

Read FAQs

What is the Invalidation of the Privacy Shield?

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the EU-U.S. Privacy Shield in its decision in Facebook Ireland v. Schrems (Schrems II), stipulating that the Privacy Shield transfer mechanism does not ensure compliance with the level of protection required by EU law.

Despite the decision, the CJEU reinforces that the data exporter (e.g the customer when it comes to the transfer of candidates’ data to the SmartRecruiters platform) and the data importer (e.g. SmartRecruiters) are still responsible for ensuring an adequate level of protection for personal data.

The CJEU also examined the validity of the European Commission Decision 2010/87/EC on Standard Contractual Clauses (SCCs) and declared it valid.

The judgment can be found here and the press release here. Furthermore, you can find the FAQ of the European Data Protection Board here.

What does this decision mean?

Companies certified under the Privacy Shield shall consider alternative mechanisms, like the SCCs, for exporting personal data from the European Union to the United States.

Is SmartRecruiters Privacy Shield certified?

Yes, SmartRecruiters is Privacy Shield certified.

Does SmartRecruiters rely on Privacy Shield for its own subcontractors?

In addition to the Privacy Shield certification, SmartRecruiters, Inc. has also implemented and signed the SCCs with its subcontractors to ensure its compliance with the GDPR. The SCCs have also been signed between SmartRecruiters’ European affiliates and SmartRecruiters, Inc.

Does SmartRecruiters have the Standard Contractual Clauses or any other transfer mechanism (i.a. Binding Contractual Rules for intra-group transfers) in place, either with their suppliers and/or other SmartRecruiters legal entities in the U.S. that can receive or access customers’ personal data from EEA?

As indicated in the question above, SmartRecruiters has implemented and signed the SCCs with its subcontractors, including its affiliates to ensure compliance.

How will SmartRecruiters offer compliance to its customers in the post-Privacy Shield era?

Over the last years, we have offered our customers the option to sign the SCCs as part of the Data Processing Agreement (DPA) to ensure their own compliance. If you have not signed the DPA and the SCCs yet and would like to do so, you may access them here.

Considering a scenario where the SCCs would be invalidated as well, what would be the remediation?

In such a situation, SmartRecruiters will take the necessary steps to ensure compliance with the EU legislation.

Are customers who have signed a contract with SmartRecruiters, Inc. currently in compliance?

Yes, because the legal basis for the exporting of data in our DPA is based on the SCCs. As long as you have signed our standard DPA including the SCCs, you remain compliant.

Have SmartRecruiters and its subcontractors been subject to any US Intelligence Services’ (i.a. NSA, CIA, FBI) requests for access to such data in the past two years? If yes, how often?

According to our information, this was never the case. However, in order to ensure this, we are in the process of auditing and questioning all of our subcontractors. We will be in a position to provide more precise information within the coming weeks.

What are the next steps for SmartRecruiters?

We are auditing all our subcontractors in order to ensure compliance with the new requirements of the CJEU.

Get Demo Learn More