E-mail service providers make sending newsletters easier and easier to understand. But when integrating partners outside the EU – for example in the USA – there are data protection issues to be considered.

E-mail service providers ensure that the e-mails really arrive in people’s inboxes in the desired design. They also give a detailed overview of how well the mail campaign went based on open rates and engagement. These numbers tell the email marketing experts in the company how strongly their own contacts interact with the emails sent by the campaigns. «This can be measured, for example, with opening and click rates and other parameters», says Daniel Wade, an e-mail marketing specialist from essaywriter.nyc company.

If the ESPs that provide these convenient services are based outside of Europe, data protection issues must be taken into account. The transfer of personal data within the EU is clearly and strictly regulated by the GDPR. However, if a sender is in the EU and would like to send data to a non-European country, he has to ask himself: Can I transmit the data to third parties at all and is the appropriate level of data protection maintained, i.e. the data is as well protected as it is after the transfer it calls for the General Data Protection Regulation (GDPR) in Europe?

Example England: Adequacy decision facilitates data transfer

The EU has built a bridge for many cases: With an adequacy decision, the Commission determines that a third country with its national legislation or its international obligations offers a level of protection for personal data comparable to that of the European Union.

If the European Commission has passed a corresponding adequacy decision, personal data may be transmitted to the respective country without further approval, provided that the other provisions of the GDPR are complied with. In other words, data transfers based on an adequacy decision are privileged: they are treated in the same way as those within the EU. There are currently adequacy decisions for the transfer of personal data to the following third countries: Andorra, Argentina, Canada (commercial organizations), Faroe Islands, Israel, Japan, New Zealand, Switzerland, Uruguay and, more recently, the United States Kingdom. South Korea will soon be added to the list.

This has only recently been the case for the United Kingdom, which after Brexit has been a so-called third country since 2021 according to Art. 44 ff. Of the GDPR. The adequacy decision issued by the EU Commission in accordance with Art. 45 (3) GDPR states that the level of data protection in the UK is appropriately high for a data transfer from the scope of the GDPR. This enables unhindered data traffic from the EU to England. A current list of valid adequacy decisions can be found on the EU Commission website.

Data transfer to the USA only on the basis of standard contractual clauses (SCCs)

If such an adequacy decision is not available, the processing body would have to take action and take one of the appropriate guarantees according to Art. 46 GDPR. As a rule, the conclusion of EU standard contractual clauses i. S. v. Art. 46 para. 2 lit. c GDPR is used.

This is shown by the example of the USA: The EU / US Privacy Shield, the last data transfer agreement signed by Washington and Brussels, was overturned by the highest European court last summer because the US secret services, in the opinion of the court, have too far-reaching surveillance capabilities.

Since then, the European Union has been looking for ways to find a stable basis for data transfer with the USA. The EU Commission has drawn up new standard contractual clauses (SCCs) for the transfer of personal data to third countries and has now published them. These contain more specific security precautions in the event that the laws of the destination country to which the data is sent allow its authorities to disclose personal data.

Recommendation: Have standard contractual clauses checked

However, even when using the new clauses in specific individual cases, additional measures may be necessary to adequately protect the transmitted data from unrestricted access by the security authorities. In the case of the USA, these measures are required in any case due to the extensive access options of the security authorities.

Therefore, even if the new standard contractual clauses are used, a corresponding concept should be coordinated with the data protection authorities in advance of future data transfers to the USA. The CSA (Certified Senders Alliance) recommends relying on strict standard contractual clauses and sending them to the responsible data supervisory authority for assessment and comment.

Read This Also: Best Possible Ways to Include Video in Your Email Marketing