Recently, the Court of Justice of the European Union (CJEU) invalidated the prior decision of the European Commission which had ruled that the EU-US Privacy Shield program ensured an adequate level of protection for the transfer of personal data out of the EU for processing in the United States.
Appropriately, SharpSpring has engaged with senior legal counsel who has experience with EU privacy law to assist us with making the appropriate changes to allow our EU customers to continue to feel confident that our processing of the personal data of EU persons is compliant with EU privacy law.
Despite the CJEU’s decision, the fundamental principles of SharpSpring’s commitment to our European customers remain the same. All of the policies, processes, and protections that we put in place to ensure our compliance with GDPR are still in effect and we have no plans to change this.
Further, SharpSpring continues to be a member of the EU-US Privacy Shield program. As the United States Department of Commerce recently communicated, “[the CJEU] decision does not relieve participating organizations of their Privacy Shield obligations.” [source]
Many of our European customers have reached out to us with questions about how the CJEU decision affects SharpSpring and we’ve provided answers to the most frequent of these below.
Please note that the answers provided here are not, and are not intended to, constitute legal advice. This information is for general informational purposes only, based on our current understanding of the CJEU’s decision. This information is subject to change, so please check this post occasionally for updates.
Q: Are SharpSpring’s European customers allowed to continue to do business with us?
A: Yes. Nothing in the CJEU decision prohibits this.
Q: Will we be providing our European customers with updated legal agreements?
A: Yes. The CJEU decision confirmed that the EU’s “Standard Contractual Clauses” (SCCs) can form part of the basis for the legal transfer and processing of data outside of the EU. We are planning to provide our EU customers with updates to existing agreements that incorporate these clauses.
Q: Is SharpSpring required to host the data of EU customers on servers located within the EU?
A: It is our current understanding that this is not required. If our understanding of this situation changes, we will respond accordingly.
SharpSpring takes compliance with EU privacy law very seriously and nothing has changed about our commitment to this. As always, feel free to reach out to your Customer Success Manager with any questions.