With the implementation of the EU-US Data Privacy Framework as of July 10th 2023, personal data transfers between the EU and US may now be done without Supplementary Measures
On 10 July 2023, the European Commission (‘the Commission’) adopted its Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework (‘the Adequacy Decision’), which contains in its annex the EU-US Data Privacy Framework (‘DPF’).
With the implementation of this framework and processor's adherence to it, it has become legal to transfer personal data to and from the US. Specific questions regarding the adequacy decision has been explained in this information note from the EDPB.
The Adequacy Decision applies since 10 July 2023. This means that, as of this date, transfers from the EU to organisations in the US that are included in the ‘Data Privacy Framework List’ may be based on the Adequacy Decision, without the need to rely on Article 46 GDPR transfer tools.
Therefore, this of course constitutes an update regarding transfer tools used by AskCody, when transferring personal data between us and our sub-processors.
Processing activities with AskCody and subsequent sub-processors remain the same, the only thing that has been altered, is one of the basis and transfer tools, which we rely on. AskCody has decided to maintain Supplementary Measures explained in this article, and instead have the Data Privacy Framework (DPF) as an additional security measure.
Of the AskCody sub-processors, so far the following have been set as active within the Data Privacy Framework, and we will continue to review this list, until all our sub-processors have been set as active.
-
Microsoft
-
Mixpanel
-
Hubspot
-
Twilio
-
Postmark (ActiveCampaign)
Appcues so far is pending, but still Supplementary measures remain in effect for all sub-processors, and it is our strong belief that Appcues will become an active member of the framework as well - as they have until October 10th 2023, to do so.
It is important to note, that transfers to entities in the US which are not included in the ‘Data Privacy Framework List’ cannot be based on the Adequacy Decision and will require appropriate data protection safeguards, enforceable rights and effective legal remedies for data subjects (e.g. through standard data protection clauses, binding corporate rules), in accordance with Article 46 GDPR. In this respect, the EDPB underlines that all the safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used. Therefore, when assessing the effectiveness of the Article 46 GDPR transfer tool chosen, data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision, meaning, a US company may not be set as active in the DPF list, but the safeguards from the US government apply to all data transferred.
Actions from AskCody include:
-
Data Privacy Framework has been added as a transfer tool in Appendix B in the AskCody Data Processing Agreement.
-
Addition in Control Activities, where AskCody will review our sub-processor's active status in the Data Privacy Framework once a year, as part of our revision process for our ISAE 3000 Audit Report.