More recent developments continue to shape the privacy world! We’re thoroughly reviewing all the new documents issued related to the transfer of European personal data. On November 11, 2020 the European Data Protection Board issued new recommendations in response to the Schrems II ruling that describe what could be appropriate technical, contractual and organizational supplementary measures. It’s important to note that this document contains recommendations, not formal guidance, and is open for public consultation. In addition, the European Commission issued draft updated Standard Contractual Clauses, which cover a broad range of data transfers.
Most importantly, we want to emphasize that Adaptive Insights is confident that the U.S. and EU governments will continue to work together to allow data transfers across borders, and the publication of the updated Standard Contractual Clauses supports that goal. As described in the existing FAQs below, we value and are committed to protecting the privacy of our customers’ personal data. We’ll be posting a more thorough update in the near future.
On July 16, the Court of Justice of the European Union (CJEU) handed down its much-awaited decision in what has become known as the Schrems II case and invalidated the EU-U.S. Privacy Shield Framework maintained by the U.S. Department of Commerce (Privacy Shield).
Can Adaptive Insights customers continue to transfer European personal data to the U.S. for processing by Adaptive Insights?
Yes. The EDPB states that Standard Contractual Clauses and Binding Corporate Rules (BCRs) may continue to be used on a case by case basis for transfers to the United States. The CJEU’s decision on the Privacy Shield does not prevent the use of the Standard Contractual Clauses as a lawful data transfer mechanism.
For those customers who have not yet executed the Standard Contractual Clauses, Adaptive Insights has made available a pre-signed electronic amendment to incorporate the Standard Contractual Clauses into their existing data processing terms. We provide details on how to execute the amendment below.
In addition, customers that are not yet leveraging the Workday Binding Corporate Rules (BCRs) may use them as an additional transfer mechanism. Please contact your Customer Success Manager if you would like to incorporate them into your existing data processing terms.
What steps should Adaptive Insights customers with European employees take as a result of the EDPB guidance?
Adaptive Insights takes compliance and the protection of European personal data very seriously. To continue to transfer European personal data to the U.S., Adaptive Insights customers should consider conducting a transfer impact assessment. The EDPB guidance states that the transfer impact assessment should take into account the circumstances of the transfer, and any supplementary measures that can be put in place. To help our customers with this analysis, Adaptive Insights has published a Transfer Impact Assessment FAQ that describes the type of data processed by Adaptive Insights, our data transfer mechanisms, and why we believe there is a low likelihood of government accessing data. It also covers supplemental measures, such as the technical security measures and contractual safeguards we offer. We will continue to update the Transfer Impact Assessment FAQ as further guidance becomes available.
What will Adaptive Insights do if it receives a U.S. Government request for Customer Data?
Adaptive Insights is committed to protecting the privacy and security of our customers’ data. We’ve had a long-standing internal policy on this topic that supports our standard contractual commitment to our customers about compelled disclosure requests. We’ve published a summary of the policy for our customers in our Government Access Principles.
Most importantly, Adaptive Insights understands that the data we process in the Adaptive Insights enterprise cloud applications belongs to our Customers. Adaptive Insights will not disclose such data to a government agency unless compelled by law.
If we receive such a request, Adaptive Insights will redirect the government agency to make the request directly to our customer. To the extent legally possible, we’ll also tell the affected customer about it, so that they can contest the demand in court. If Adaptive Insights is legally prohibited from telling our customer about the demand, Adaptive Insights will challenge that prohibition with the government agency and, where necessary, in court.
Which other European data transfer mechanisms does Adaptive Insights offer?
Adaptive Insights does not rely on a single data transfer mechanism, but offers our customers a number of options to legalize transfers of personal data from the European Economic Area and Switzerland to the United States.
Besides our Privacy Shield certification, we also offer the European Commission’s controller-to-processor Standard Contractual Clauses (Commission Decision 2010/87/EU) which the CJEU has ruled remain a valid lawful data transfer mechanism for personal data exports. In addition, EU data protection supervisory authorities have approved Workday’s global Processor Binding Corporate Rules (BCRs), as can be seen here. BCRs are a detailed, binding code of conduct that governs the processing of personal data within a multinational company, and which is reviewed and approved by EU data protection supervisory authorities.
Will Adaptive Insights consider offering newly available transfer mechanisms?
Adaptive Insights is continually evaluating new transfer mechanisms as they become available. The European Commission has repeatedly demonstrated that it is very committed to data transfer contracts as a means to facilitate transfers of personal data. On November 12, 2020 the European Commission published draft Standard Contractual Clauses that are intended to address the deficiencies identified by the CJEU in the Schrems II judgement. Once the European Commission has finalized the updated clauses, Adaptive Insights will review and evaluate whether we can make them available as a transfer mechanism.
Does the invalidation of the Privacy Shield impact customers’ Swiss data transfers to Adaptive Insights?
While the ruling does not directly affect Switzerland, the Swiss data protection authority reassessed the conformity of the Swiss-US Privacy Shield Framework following the CJEU's decision and found that it does not provide an adequate level of protection for data transfer from Switzerland to the US pursuant to the Swiss data protection act.
How can we incorporate the Standard Contractual Clauses into our data processing terms with Adaptive Insights?
Please click here to review and execute Adaptive Insights’ Standard Contractual Clauses Amendment.
If someone else in your organization needs to sign the Amendment, please copy and forward the link to the authorized signatory.
After electronically signing the amendment, the signer will receive an identity verification email from Adobe® Sign. The signer must click on the verification link in the email for the signed amendment to be forwarded to Adaptive Insights. The amendment is not binding until the verification step is complete and Adaptive Insights validates receipt of the amendment. Upon validation, all parties will receive a signed copy.
What is Adaptive Insights’ position on the free flow of data between countries?
The free flow of data across borders—including data transfers from Europe to the U.S—is critical to individual businesses and the greater economy. We meet regularly with officials on both sides of the Atlantic to talk about the economic importance of data transfers and the benefits they provide for cloud computing.
We will continue to promote the free flow of data through our work with both the European Commission and the United States government.
The most important thing to know is that Adaptive Insights will continue to prioritize our customers, including their data, privacy, and related processes, in order to help support continued compliance with related rules and regulations.
How can I contact Adaptive Insights if I have questions?
We realize the topic of cross-border data flows are complex ones to tackle, but we’re here to help. If you have any questions about your cross border data transfer mechanisms with Adaptive Insights, contact firstname.lastname@example.org.