German Podcast Episode #220: Rahuls Schlüsselerfolge als Senior IT Counsel seit 2010

Neha: Hello and a warm welcome to the seventh
episode of our mini-series "Rahul’s Key Achievements as Senior IT
Counsel since 2010" – Episode 220 of our podcast. Today, we’re
discussing GDPR implementation, specifically privacy-by-design,
vendor data processing agreements (DPAs), and data transfer
safeguards. Rahul, you’ve often emphasized that companies like
Microsoft or Salesforce set benchmarks when the GDPR took effect.
But what does this mean practically?  


Rahul: Thanks, Neha. Exactly, these companies
integrated privacy-by-design into their development processes and
signed GDPR-compliant agreements with all vendors processing EU
personal data by the deadline. A negative example is the Marriott
data breach in 2019: The UK ICO imposed an £18 million fine
because Marriott neither vetted a vendor’s security nor had
contractual safeguards. I avoided such risks at my former
employer by aligning our vendor DPAs and safeguards with
companies like Novartis or Pfizer – both clients of my former
employer.  


Neha: That’s a key point! You also mention
privacy-by-design as technical implementation – similar to
Apple’s iOS, where privacy is built-in via differential privacy
or on-device data processing. How did you implement this at your
former employer?  


Rahul: I instructed engineering and procurement
to integrate data minimization and encryption from the outset. I
also contractually obligated vendors to do the same. A concrete
example: When designing our platform, I advocated collecting only
data necessary for trial outcomes. I also recommended hashing
patient IDs so vendors never see direct identifiers – real-world
privacy-by-design in practice.  


Neha: Fascinating! Another major event was
Schrems II in 2020, which invalidated the EU-US Privacy Shield.
Many companies scrambled to secure data transfers. How did you
preempt this?  


Rahul: At my former employer, we worked with a
US cloud host and an Indian data analytics provider. For the US
vendor, I implemented Standard Contractual Clauses (SCCs),
activated EU data centers, and added end-to-end encryption as an
"additional measure" per EDPB guidance post-Schrems II. The
Indian vendor similarly followed SCCs plus pseudonymization. This
allowed our clinical trials to continue smoothly, even when other
firms halted EU-US data transfers.  


Neha: Practical! This avoids fines like
WhatsApp’s €225 million penalty in 2021 for inadequate
transparency and operational hiccups. You even mention a specific
situation at your former employer...  


Rahul: Yes! When a trial participant exercised
their GDPR right to erasure, we could flow the request to all
vendors thanks to robust contractual clauses. Without this prep –
as in the Dedalus case – it could have led to complaints. In
short: My measures aligned with both the letter and spirit of
GDPR (Arts. 25, 28, 44-49) and shielded us from audits, like
those by CNIL for pharma companies or the Bavarian DPA, which
criticized US cloud usage without extra safeguards in
2020.  
Neha: A comprehensive approach – thanks, Rahul!
Next time, we’ll cover AI-specific compliance challenges. Until
then, Good Bye!


***


Read German text here:


https://docs.google.com/document/d/1oEspwKpwMcjlN5BkId5-KTNIs7pywqDbp8g1lYnU2fg/edit?pli=1&tab=t.0


***