b. What are each of our roles under the GDPR?
We act as the Processor when processing Personal Data in accordance with your documented instructions. Generally, you act as a Controller of Personal Data that you provide to us.
c. Do we need to enter into a Data Processing Agreement (“DPA”)?
Yes, the GDPR requires a Controller and a Processor to enter into a DPA if the Processor processes Personal Data on behalf of the Controller. The DPA must contain certain terms such as the subject-matter, duration, nature, purpose, and types and categories of Personal Data. We have incorporated documents containing our DPAs into our agreements. This approach has the advantage that we do not need to separately sign a DPA:
Our DPAs are GDPR-compliant and contain all required provisions for the protection of the Processor and the Controller. The DPAs are specific to our services and cover our processes in relation to these (e.g., privacy related notifications, audits and sub-processing activities). In addition, for Hosted Services, our terms in the MCE Service Guide reflect the terms contracted between us and our cloud sub-processors (e.g., Amazon Web Services and Microsoft) and as such, we may not alter them.
2. Sub-processors
a. Do we use sub-processors?
Yes, we use certain affiliates as well as third party organizations as sub-processors. To effectively perform our services to you, we may require the transfer of Personal Data to sub-processors. We take responsibility for the actions of our sub-processors. You may find our current list of sub-processors here.
b. How do we notify you of a new sub-processor?
Before we engage any new sub-processor, we will update the web pages where we list our sub-processors. You may object to the use of the new sub-processor using the procedure set out in the DPAs.
3. International Data Transfers
a. Why do we need to transfer Personal Data outside of the EU/EEA?
A part of our services (including certain Technical Support or the Hosted Services) is performed from and related information is stored in countries outside of the EU/EEA. The GDPR explicitly allows transferring Personal Data to non-EU/EEA countries if the parties have a valid transfer mechanism in place. The Standard Contractual Clauses constitute such transfer mechanism which we use in our agreements with customers. This is common for US software companies and can be regarded as market standard. In addition, we are certified under the EU-US Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (DPF). The DPF is a formal decision made by the EU which recognizes that companies certified under the DPF in the US provide an equivalent level of protection for Personal Data as the EU does. Our certification can be found here.
b. Do the DPA provisions include the 2021 Standard Contractual Clauses?
Yes, the 2021 Standard Contractual Clauses apply, as may be updated, supplemented or replaced from time to time under applicable law. As the Standard Contractual Clauses are incorporated by reference into our agreements, they do not need to be separately signed.
c. How do we address the “supplementary measures” established in the Schrems II decision3?
Amongst others, we established the following supplementary measures to address the Schrems II decision:
If you would like to learn more, please ask your account executive for the “Strategy’s Statement on International Transfers of Data” document.
d. For Hosted Services, is it possible to select the location of the data center?
The Hosted Services are operated out of a data center location that you and we mutually determine. Generally, we may agree on any data center location where Amazon Web Services or Microsoft offer their infrastructure services.
4. Security Breach Notification, Return and Deletion of Personal Data
a. How does the notification process look like in the event of a security breach?
We will notify you without undue delay after becoming aware of any actual breach of Personal Data by us or our sub-processors.
b. What happens to the Personal Data after termination or expiration of the relevant contract?
We will, at your option, delete or return to you the Personal Data after the end of the provision of the services relating to processing, and delete any remaining copies. We are only entitled to retain such Personal Data which we are obligated to keep to comply with any applicable law or which is required to retain for insurance, accounting, taxation or record keeping purposes.
For Hosted Services, you may retrieve or delete any remaining Personal Data from the Hosted Services.
1 This document is for informational purposes only and is not intended to provide legal advice.
2 This document only applies to the processing of data relating to an identified or identifiable natural person, including names, e-mail addresses and phone numbers (“Personal Data”). All other data does not fall under the General Data Protection Regulation dated 25 May 2018 (“GDPR”). Except as otherwise defined in this document, all capitalized terms used in this FAQ shall have the meaning as set out in the GDPR.
3 A summary of the Schrems II decision can be found here.
