International Transfers of Personal Data: how Johnson Controls is compliant post Schrems II decision

This document is provided for informational purposes only and is not intended to provide legal advice. Legal advice should be sought for queries around specific situations. This information is provided as of the date of document publication, and may not account for changes after the date of publication.

By Sachin Kothari, VP& Chief Privacy Officer, Johnson Controls

You may have noticed the news, articles, blogs and press releases regarding the Schrems II decision. Johnson Controls, through its Global Privacy Office, has been among those awaiting this decision.

Let´s take a moment to summarize the issues and the impact (if any) it may have on Johnson Controls’ customers.

International Transfers of Personal Data from the European Union (EU)

Companies that transfer personal data outside of the EU must comply with EU data protection law. EU data protection law requires an adequate level of protection of EU personal data, and recognizes several transfer mechanisms, including Standard Contractual Clauses (SCCs) issued by the European Commission, and until the Schrems II decision, the EU-US Privacy Shield framework (“Privacy Shield”).

The SCCs are contracts entered into between the parties transferring EU personal data outside of the EU.

Privacy Shield is an agreement between the US Department of Commerce and the European Commission to provide US companies with a transfer mechanism in compliance with EU data protection requirements when receiving EU personal data.

Schrems II in brief

The core issue in Schrems II was whether Privacy Shield and the SCCs provide adequate protection of EU personal data when transferred to the U.S.

The Court of Justice of the EU (CJEU) concluded that the SCCs remain a lawful tool for transfers of personal data outside of the EU.

Conversely, the CJEU concluded that Privacy Shield does not provide adequate protection, and invalidated the arrangement.

Johnson Controls Global Privacy Program in light of Schrems II

Throughout our history, Johnson Controls has conducted business with integrity, and privacy and data protection have always been vital. Johnson Controls has a robust Global Privacy Program in place and will always prioritize protecting our customers’, employees’ and suppliers’ privacy and personal data.

Schrems II is an important decision which may present challenges. However, it presents no practical impact to Johnson Controls’ customers, because Johnson Controls is not reliant on Privacy Shield when transferring personal data outside of the EU.

Customers of Johnson Controls can be reassured that any personal data transferred by Johnson Controls worldwide will continue to be protected using valid transfer mechanisms, including our Binding Corporate Rules (BCR) and the SCCs.

Johnson Controls also carries out Data Privacy Impact Assessments and incorporates Privacy by Design into our products ensuring global privacy law requirements are adhered to.

Conclusion

Privacy law in Europe moves fast, and fundamental rules have changed more than once in recent years. Johnson Controls, through its Global Privacy Office, will be following updates carefully and will implement any changes to mechanisms for transferring personal data that may arise following this decision. In the meantime, it is business as usual.

For further information on how Johnson Controls handles personal data please see our Privacy Notice.

For queries and concerns please contact the Johnson Controls Global Privacy Office at privacy@jci.com