Make Datenschutz: After ECJ ruling: Data protection compliant automation with European automation software
The European Court of Justice has overturned the "Privacy Shield", which until now has significantly regulated data protection and exchange between the EU and the USA. This is already the second agreement, after the Safe Harbor Agreement of 2015, to be declared invalid by the highest European court and now raises some questions for business practice. We present Make, an automation software that processes data according to DSGVO. Thus, Make data protection meets the requirements of the highest court regarding personal data.
Privacy Shield declared invalid
With Facebook, Google or Apple, there are numerous big players on the market that are not directly subject to European data protection law. However, the protection of personal data is an increasingly important task of the EU, which the highest European court also takes up on a recurring basis. At the latest with the adoption of the GDPR, it is clear that data protection in Germany and the EU also has strong implications for business practice.
In this article, the term data always refers to personal data. This means that individual persons are identifiable with the help of the data, for example via business data.
The transatlantic exchange of data was previously regulated by the so-called "Privacy Shield". But the ECJ has now ruled that this is not sufficient for strict European data protection, as the US surveillance laws cannot adequately and appropriately protect the data of EU citizens.
Thebasis for the ruling is the GDPR. This prohibits data processing outside the EU if the level of data protection in the EU country is not sufficient. This includes the USA in particular. Through the Privacy Shield, the USA has so far been considered to have a sufficient level of data protection, on the condition that US companies comply with EU law on the basis of this agreement.
Since US authorities in America hold special inspection rights that allow them to access the data of EU citizens without legal protection or a court order, the ECJ concluded that the level of data protection in the US is insufficient.
What are my options for practice when using US providers?
At this stage, there is a legal vacuum, as the ruling leaves companies politically alone. Some options are still linked to existing legal uncertainties and cannot be considered absolutely certain until a more concrete instruction for companies or a renegotiation of data processing between the EU and the US.
If possible, you should switch to EU servers ifUS companies offer this. Amazon Web Services or Microsoft, for example, offer this option.
The safest option at present seems to be not to use any US service providers or to use service providers that work with US subcontractors.
Waiting for the reaction of the EU Commission and data protection authorities is also possible, but with a residual risk. The current political situation suggests that a quick political solution and cooperation from the US is unlikely or at least protracted. In addition, your customers, users or other stakeholders may ask you to stop transferring data to the US.
Since the damage of the ECJ ruling will also be significant for US companies, companies can at least hope for a quick solution. Ideally, this will build pressure on policymakers.
Make data protection: Is the automation provider affected by the ECJ ruling?
Thus, personal data is processed on the basis of the GDPR. Make's data processing is therefore not affected by the Privacy Shield and meets the requirements of European law.
The storage of personal data also takes place in the EU, on servers in the Czech Republic.
They are also ISO 9001 and ISO 27001 certified, which are DIN standards for quality management and information security management systems.
Why Make is now gaining new relevance for automations
Make works similarly to Zapier. The automation software supports numerous apps in the cloud, connects them with each other and thus creates seamless, efficient data flows. In terms of price, Make is even ahead in a direct comparison with Zapier: 1000 process steps are available for 0€ without any limitation of apps.
(A detailed comparison of the two cloud process automation tools can be found here).
We have long appreciated Make data protection, but the ECJ's ruling makes it clear how much the European market needs "domestic" software providers that operate according to European law. With the declaration of the privacy shield as ineffective, it becomes clear again how insecure US providers can be in times of tightened data protection. Even if a new regulation of the transatlantic agreement on data processing is concluded in the near future, this may again be declared ineffective, as was the case with the Safe Harbor Agreement in 2015, and pose practical challenges for companies.
This is particularly annoying because companies are currently left completely alone with the ECJ ruling and its effects.
Effects of the ECJ ruling on other automation providers
The Privacy Shield has so far regulated the majority of data transfers between the EU and the USA. With the ECJ's decision to declare this passage invalid, software providers from the USA are confronted with new challenges. One of these providers is Zapier.
It is clear from their data protection notices that the automation provider is affected by the ECJ ruling, because Zapier's data protection and the associated data processing have so far taken place on the sole basis of the Privacy Shield. This will no longer be sufficient.
According to current knowledge and the legal situation, we can only advise against continuing to use Zapier as a technical assessment. If you still want to do so, you are exposing yourself to your own risk. We cannot predict what exactly the legal consequences will be for companies working with US providers affected by the ECJ ruling on the Privacy Shield. However, there are indications of this in this article.
What else you need to know about Make data protection
Any references to Make data protection only affect the services offered by the Czech software provider. More precisely, this means:
At this point in time, you can be sure that Make operates in compliance with the GDPR and that your data is processed in a legally compliant and secure manner. This does not change after the recent ECJ ruling. The situation is different with the US competition.
In the case of automation using Make , in which you integrate Mailchimp or Instagram, for example, the use of these softwares is still at your own discretion and is associated with risks following the ECJ ruling. The data processing of these third-party providers is not covered by Make's GDPR-compliant data processing. It is not the connected automated apps but the service of Make itself that is subject to European law,
So you should explore for yourself how you want to deal with any US software providers in the future.
Make as a DSGVO-compliant software provider
At this stage, we advise giving preference to European software providers over US companies such as Zapier. Although it is conceivable that another agreement on EU-US data exchange will be reached, we cannot foresee in any way how the ECJ ruling on the Privacy Shield will play out in the future and whether newer agreements will not be overturned again.
Disclaimer: This article does not constitute legal advice, but an editorial contribution. We are not lawyers and are merely carrying out an IT assessment based on the ECJ ruling and publicly available data. We do not accept any liability for the content or any recommendations for action derived from it.
Cloud Integration, iPaaS, SaaS, BPA… Ough, hard to keep track of all these terms. They are currently used frequently (and increasingly) in the context of automation, and it is sometimes difficult to make a clear distinction and distinction. We have already written blog posts on the terms iPaaS, SaaS and BPA, but we’ll take them up again here to make the difference.
But let’s start with cloud integration, because that’s the central umbrella term in which we embed all the other technologies in this blog post.
To illustrate these advantages, an example is suitable that we know well from our everyday work as an automation agency:
The central data to be used here is the data of a major customer. This can be the simplest information, such as the address. This address is required in numerous but completely different processes in the company: on the one hand, for correct invoicing in accounting. On the other hand, in the CRM system, where all the data of the large customer is also stored. But the address is also important in sales, for example, when employees go to the sales meeting on site.
Now the customer announces that the address of the company has changed after a move. This information will reach you by e-mail. There are now two options:
01. The e-mail is forwarded to all affected departments, accounting, sales, customer service, marketing… All persons open their corresponding program, CRM, accounting software, marketing tools (such as newsletter marketing) and change the data already stored there of the customer. This means that in multiple applications, different people do exactly the same thing: change one address. 02. But there is also an alternative: By connecting your applications, thus by integrizing them, the customer’s e-mail, or rather the information it contains about the address change, is automatically passed on to all affected applications: CRM, accounting, marketing, ERP. This does not require any clicks, because the cloud integration detects a trigger, i.e. address change, and thus automatically starts the process.
What sounds unimpressive in a single process becomes more effective when such a process occurs several times a day or weekly. Because there is a lot of data that is available in different applications and should always be correct. If these applications are cloud applications they are suitable for cloud integration.
But cloud integration doesn’t just happen. There are now a variety of applications that enable and implement this. Such tools usually allow us to link the relevant cloud applications on a central platform and define clear rules on when, how, where, how much data should be passed on and what happens to them.
IPaaS, SaaS, BPA, ABC – who can still see through it?
To realize cloud integration, there are various applications and technologies that are sometimes used interchangeably.
Cloud integration cannot be done without SaaS, iPaaS and BPA
Cloud integration is rather an umbrella term that includes numerous technologies, such as SaaS, iPaaS and BPA, and this is also absolutely necessary. Cloud integration is a concept that is made possible by appropriate technologies.
However, all terms share the commonality that they are cloud-based and thus offer enormous potential for growth and scaling. In addition, they are often cheaper to implement and maintain because changed requirements are easy to implement.
As an independent automation agency, we implement cloud integration according to your requirements. We use a variety of SaaS tools and iPaas (strictly speaking BPA) software. Together we find individual solutions that are flexible and scalable.