The Safe Harbor agreement that was in force until now has been invalidated, so many companies and individuals must check if we transfer data to companies that store their files in non-recommended countries.
In a few words, it affects more specifically companies with servers hosted in the US, which store our files and third-party data, such as data that comes from a name and mail mailing list, we normally ask for information that is not considered risky and duly informing the agency and creating the database on the server in a manner adapted to the LOPDD. I have said Mailchimp because it is the application that can collect and store the most personal data from a user, also the newsletters have more “points” to be in the eye of an inspection but in the list of applications apart from Mailchimp are: Google Analytics, Google Drive, Dropbox and even some social networks, but the experience in the case of what depends on Google is that they will try to solve it and adapt it in a timely manner, it has always been like that. As we know mass mailing and bad practices on spam have made it a focus of constant complaint and review , it is not uncommon to receive personalized advertising of something that we do not know where it has come from, and for years there has been a market for buying lists of mail that thanks to data protection has been diminishing, although it exists.
On the page of the AEPD, apart from facilitating the procedures to register, modify, cancel files, they explain the obligations and good practices when registering subscribers.
All this is derived from a sentence in which the transfer of data with the US is restricted.
On October 6, the CJEU (European Union Court of Justice) issued a ruling on October 6, 2015 by which transfers (of data files) from the European Union to the US cannot continue to be carried out under the of the Safe Harbor Decision. For which the Safe Harbor agreement was invalidated, among others, and there is a recommended term until January 29, the AEPD has clarified that it is not an ultimatum, so that the companies that are affected take measures in conjunction with the users of said services.
Even if we think that nothing happens, we must request express permission to the AEPD to continue using these services through an international data transfer request, on that page it defines the figure of data exporter and data importer.
This is collected in: New communication on the execution of the Puerto Seguro sentence.
On the page about international data transfers, it cites a list of safe countries with which we can work without problems , as long as the file is correctly registered. It also cites exceptions to which some blogs or websites may abide, as is the example of this assumption:
- When the affected party has given their unequivocal consent to the planned transfer.
Stick to an assumption and request the validation of said database by the AEPD, because otherwise it is useless. Conclusions and questions that come to my mind about whether mail chimp can be used:
-What does Mail Chimp say about all this?
Mailchimp says the following on its blog, but this contradicts something with what was stated in the previous sentence: MailChimp adheres to the Safe Harbor principles and we annually certify our agreement with the Swiss and US/EU political strategies. For detailed information on the Safe Harbor principles. They have added a form to comply with the LOPD which helps to facilitate and speed up the procedures. You must send the registered file and request the transfer of data as well and register in the same way, the only thing that Mail Chimp will ask you about the nature of the file to send it directly. This solution is subject to the validation of your database by the AEPD.
-Should I close my Mailchimp account?
It is not necessary, in fact you must ask the agency to authorize you to transfer data to the US, depending on the nature of your file it is easier for them to authorize you or not, think that the more personal data you request, the more risk the file has for what the security of the chain of custody must be greater. Mailchimp does not sell mailing lists or traffic data and they have a very strict policy on how to get subscribers.
-What elements of a blog collect data?
It not only affects the mailing lists, but also any form in which the user enters their data, for example comments, newsletters, registered users , these bases can be managed by a company such as mailchimp in the case of mail, the comments are stored in your hosting, etc. you must register those databases. There are more mailing companies apart from Mailchimp that operate in Europe and within the existing legal scope, I repeat, register the databases. Let’s see this scares but it is the normal consequence of misuse , surely large data leaks that occur in the US via file have come to mind, remember what happened to Ashley Madison and the scope of their leaks. There are companies dedicated to these procedures for people like me who hate bureaucracy and I am preparing an entry to tell you about the AEPD. I hope you don’t get scared but there are legal things you need to know.
