1. Clarifications on International service providers
GDPR requires organisations that process the data of EU citizens to demonstrate compliance, regardless of their location.
Where eBoss employs the services of a third party, we will ensure GDPR compliance prior to the May 25th deadline. As per GDPR, eBoss remains liable to data controllers for all sub-processor activity.
A specific point of concern for some of our clients has been the compliance status of larger, overseas SaaS firms and cloud storage platforms.
Ongoing legal actions (for example, the Microsoft Ireland case, and Privacy Shield framework) present a challenge to data controllers using cross-border services. In some instances, an overseas body may struggle to demonstrate full GDPR compliance until after an outstanding legal ruling has been delivered. Naturally, some of these verdicts could remain outstanding after the May 25th deadline for GDPR compliance. Some data controllers have therefore questioned whether their data chain can achieve full compliance if they utilise these services.
In fact, GDPR Art. 45(1) states that: