French court ruling provides greater context to the application of “Schrems II” under the GDPR

French court ruling provides further guidance as to the application of “Schrems II”, as data hosted by subsidiary of US company is found to be protected. 


France’s highest administrative court ruled earlier this month that the hosting of a booking platform for COVID-19 vaccinations on Amazon Web Service, also known as AWS, was indeed sufficiently protected under the EU GDPR. Initially there was some question as to whether using Amazon Web services as a hosting platform was compatible with the GDPR under the “Schrems II” ruling, due to the fact that the processor was a company bound by US law. The final ruling in this case was based on the fact that the court believes that enough legal and technical safeguards are in place in the event that US authorities ever request data access. This gives quite a bit of context and has big implications for many companies, underscoring the need for supplementary legal safeguards when data is entrusted to a subsidiary of a non-EU company. 


Health data hosted by a company bound by US law, while a cause of concern for many, was found to be sufficiently protected under the GDPR. 


The plaintiffs in this case worried that the hosting of health data by a company which is bound by US law presented various risks including not just the transfer of data to the US, but also access to that data being granted to US authorities if requested from the processor. Due to the level of perceived risk, the plaintiff deemed this a sensitive and urgent matter. However, what was thought to be a violation of the provisions of the GDPR under “Schrems II”, under further investigation and reflection, turned out to be sufficiently protected under the GDPR, due to the several legal and technical safeguards put in place by the defendant, Doctolib. The judge in this case ruled against the claim filed to have this service suspended. 


This French court ruling was the result of careful assessment of the technical and legal safeguards provided for in this agreement.


The French court ruling came after careful consideration and assessment of the legal and technical safeguards and other guarantees provided for between Doctolib and Amazon Web Services. The assessment found that distinct provisions had been made within the contract between the two, for a specific procedure in the event of access requests by a foreign authority. The legal guarantee in this case is that access requests from public authorities to the processor   will be challenged. The judge also noted that the data would be encrypted with the key being held by a trusted third-party within funds and not by Amazon Web Services. Furthermore, it was found that data transmitted to Doctolib through the vaccination campaign contained no sensitive health data specifying, for example, that a user is a priority candidate for vaccination due to a certain pre-existing condition. As an additional step any data entered by users for the purpose of identification for scheduling a vaccination appointment, is deleted at most within three months of their vaccination appointment. 


“The ruling signals that there is room for the rule of reason in the application of Schrems II, and should generally be seem as good news for the online industry,” comments Dr Bostjan Makarovic, Aphaia’s Managing Partner.

“It is paramount that companies carry out an assessment covering their data flows, the countries involved and the safeguards that should be applied based on the risk identified, what is known as ‘Data Transfer Impact Assessment’”, states Cristina Contero Almagro, Aphaia’s Partner.

This telling highlights the need for legal and technical safeguards, which are recommended even when data is not being transferred outside the EU.


A key part of complying with “Schrems II” rests on technical measures like pseudonymization and encryption, and ensuring that the processor has no way of accessing the re-identification key, particularly when the key may possibly be accessed by a public authority. Legal safeguards, like those taken by Doctolib are also essential. While the new draft standard contractual clauses recently published by the European Commission do make similar provisions, it is recommended, in anticipation of these new SCCs, that companies make provisions for this type of guarantee in a specific addendum, even in cases where there is no transfer of data outside the EU.

Do you make international data transfers to third countries? We can help you. Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, transfer impact assessments and Data Protection Officer outsourcing.  Contact us today.

ePrivacy regulation amendments under Romanian Presidency

At the beginning of the year, Romania took over the rotating presidency of the Council of the European Union. The EU ePrivacy Regulation was initially set out two years ago, to be implemented at the same time as GDPR.

A set of amendments to the proposed ePrivacy Regulation were released by the Romanian Presidency. These are worth looking at – but you should not expect any spectacular changes!

Which services warrant ePrivacy?

This has been an important matter within the ePrivacy Regulation proposal all along: communications privacy rules were to be expanded to services such as online marketplaces, gaming- or mobile apps messaging features.

The latest Romanian Presidency amendment makes it clear, referring to the definition of the new European Electronic Communications Code (EECC), that ‘interpersonal communications service’ that warrant such privacy protection shall include services that enable interpersonal and interactive communication merely as a minor ancillary feature that is intrinsically linked to another service.

In other words, no matter how insignificant the messaging feature may be in relation to the service, it warrants the protection of its privacy as any other interpersonal communication.

Limitations to the security processing exception

According to the amendments, security will be more difficult to use as a blanket exception for data processing. Whereas processing is acceptable if it is necessary to detect or prevent security risks and/or attacks on end-users’ terminal equipment, such processing is only permitted “for the duration necessary for that purpose”.

Other interesting amendments

The amendments include a requirement for supervisory authorities to cooperate with data protection authorities when appropriate, as well as new investigative and corrective powers for those supervisory authorities.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

EU cybersecurity law

Cybersecurity to be reinforced in Europe

The European Parliament, the Council and the Commission reached an agreement last December to reinforce the European position on cybersecurity through the regulation proposed in 2017, which will be reflected mainly in the organisation and activity of the European Network and Information Security Agency (ENISA).

In addition to the reconfiguration of ENISA’s objectives, the regulation focuses on the design of a European certification framework in order to ensure a minimum level of cybersecurity for union products and services related to information technology and communication, which makes it the first law that regulates the safety of products connected at the domestic market level and is expected to allow for consumers to have more confidence. A single certification will also remove potential market-entry barriers and be more cost effective.

The following functions are envisaged for ENISA:

-To be a centre of expertise in cybersecurity that acts independently and provides technical and scientific assistance with transparency.

-Assist the European institutions and Member States in the development of cybersecurity policies and the acquisition of competencies in the field, in addition to promoting cooperation between them.

-Develop a framework for certification and encourage the use of it.

-Raise awareness in citizens and businesses about the importance of cybersecurity.

Among the aims of encouraging cooperation between Member States is the fight against fraud and counterfeiting of electronic means of payment, for which it is planned to establish a broad scope of criminal offences and general rules for their penalisation. In addition to facilitating cross-border access to electronic evidence and giving special importance to the role of encryption.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

Jehovah’s Witnesses Data Protection Court Ruling

A religious community, such as the Jehovah’s Witnesses, is a controller, jointly with its members who engage in preaching, for the processing of personal data carried out by the latter in the context of door-to-door preaching. The processing of personal data carried out in the context of such activity must respect the rules of EU law on the protection of personal data

The Jehovah’s Witnesses data protection court ruling started on the 17 September 2013, when the Finnish Data Protection Supervisor  prohibited theJehovah’s Witnesses religious community, Finland from collecting or processing personal data in the course of door-to-door preaching by its members unless the requirements of Finnish legislation relating to the processing of personal data are observed.

The members of the Jehovah’s Witnesses Community take notes in the course of their door-to-door preaching about visits to persons who are unknown to themselves or that Community. The data collected may consist of the name and addresses of persons contacted, together with information on their religious beliefs and their family circumstances. Those data are collected as a memory aid and in order to be retrieved for any subsequent visit without the knowledge or consent of the persons concerned. The Jehovah’s Witnesses Community and its congregations organise and coordinate the door-to-door preaching by their members, in particular by creating maps from which areas are allocated between the members who engage in preaching and by keeping records about preachers and the number of the Community’s publications distributed by them. Furthermore, the congregations of the Jehovah’s Witnesses Community maintain a list of persons who have requested not to receive visits from preachers and the personal data on that list are used by members of that community.

The reference for preliminary ruling from the Korkein hallinto-oikeus (Supreme Administrative Court, Finland) asks essentially whether that community is required to observe the rules of EU Law on the protection of personal data1 on account of the fact that its members, when they carry out door-to-door preaching, may take notes re-transcribing the content of their discussions and, in particular, the religious views of the persons whom they have visited.

In this week’s judgment of the Jehovah’s Witnesses data protection court ruling, the Court of Justice considers, first of all, that door-to-door preaching by members of the Jehovah’s Witnesses Community is not covered by the exceptions laid down by EU Law on the protection of personal data. In particular, that activity is not a purely personal or household activity to which that law does not apply. The fact that door-to-door preaching is protected by the fundamental right of freedom of conscience and religion enshrined in Article 10(1) of the Charter of Fundamental Rights of the European Union, does not confer an exclusively personal or household character on that activity because it extends beyond the private sphere of a member of a religious community who is a preacher.

Next, the Court states, however, that the rules of EU Law on the protection of personal data apply to the manual processing of personal data only where the data processed form part of a filing system or are intended to form part of a filing system. In the present case, since the processing of personal data is carried out otherwise than by automatic means, the question arises as to whether the data processed form part of, or are intended to form part of, such a filing system. In that regard, the Court finds that the concept of a ‘filing system’ covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

The processing of personal data carried out in connection with door-to-door preaching must therefore comply with the rules of EU law on the protection of personal data.

As regards the question as to who may be regarded as a controller of the processing of personal data, the Court states that the concept of ‘controller of the processing of personal data’ may concern several actors taking part in that processing, with each of them then being subject to the rules of EU law on the protection of personal data. Those actors may be involved at different stages of that processing of personal data and to different degrees, so that the level of responsibility of each of them must be assessed with regard to all the relevant circumstances of the particular case. The Court also states that no provision of EU Law supports a finding that the determination of the purpose and means of processing must be carried out by the use of written guidelines or instructions from the controller. However, a natural or legal person who exerts influence over the processing of personal data, for his own purposes, and who participates, as a result, in the determination of the purposes and means of that processing, may be regarded as a controller of the processing of personal data.

Furthermore, the joint responsibility of several actors for the same processing, under that provision, does not require each of them to have access to the personal data concerned.

In the present case, it appears that the Jehovah’s Witnesses Community, by organising, coordinating and encouraging the preaching activities of its members participates, jointly with its members who engage in preaching, in determining the purposes and means of processing of personal data of the persons contacted, which is, however, for the Finnish court to verify with regard to all of the circumstances of the case. That finding cannot be called into question by the principle of organisational autonomy of religious communities guaranteed by Article 17 TFEU.

The Court concludes that EU law on the protection of personal data supports a finding that a religious community is a controller, jointly with its members who engage in preaching, of the processing of personal data carried out by the latter in the context of door-to-door preaching organised, coordinated and encouraged by that community, without it being necessary that the community has access to those data, or to establish that that community has given its members written guidelines or instructions in relation to the data processing.

Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.