HubSpot's Commitment to Protecting EU Data Transfers

What the July 16, 2020 CJEU Privacy Shield ruling and new Standard Contractual Clauses mean for HubSpot customers and partners

In our Customer Code, we commit to doing the right thing when it comes to protecting our customers’ data, which includes providing safe, secure, and legal ways for our customers to transfer their data as needed. This isn’t a responsibility we take lightly. 

The world of security and data privacy is constantly evolving, as it did on July 16, 2020, when the Court of Justice for the European Union (CJEU) issued a ruling that invalidated the EU-US Privacy Shield and held that the Standard Contractual Clauses (SCCs) remain a valid transfer mechanism. And again on June 4, 2021, when the European Commission adopted a new set of SCCs.

The good news is that we were prepared for this – transfers of HubSpot customer data from the EU are already covered by "old" the SCCs, and HubSpot plans to transition to the “new” set of SCCs by September 2021. Since the GDPR went into effect in 2018, our Data Processing Agreement (DPA), which is incorporated into our Customer Terms of Service, has included both the Privacy Shield and SCCs as the legal mechanisms to transfer customer data from the EU. This ensured that our customers had multiple options for secure data transfers. 

Although the Privacy Shield is no longer relied upon, the SCCs automatically apply and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption, seamlessly transitioning to the new set of SCCs starting September 2021.

Frequently Asked Questions

  • HubSpot relies on the European Commission's standard contractual clauses (or SCCs) which are included in our Customer Data Processing Agreement. 

  • The CJEU ruling, also known as ‘Schrems II’, centers around whether the European Commission's standard contractual clauses and EU-US Privacy Shield are a lawful mechanism for transferring personal data outside of the EU. The CJEU made two key rulings:

    1. The Court invalidated the EU-US Privacy Shield; this means the Privacy Shield is no longer an option for companies to use to protect data being transferred from the EU to the US.
    2. Conversely, the Court held that the standard contractual clauses (or SCCs) remain a valid data transfer mechanism but clarified that the SCC data transfers need to be analyzed on a case-by-case basis to ensure EU standards of data protection are met.
  • The standard contractual clauses “SCCs'' are one of the data transfer mechanisms that organizations can use under the GDPR for cross-border data transfers.

  • On June 4, 2021, the European Commission published and adopted two sets of updated SCCs. The updates to the SCCs align with the GDPR compliance and address some of the issues the CJEU addressed in the Schrems II decision. 

  • Key dates for implementing the new SCCs are outlined below: 

    • June 27, 2021: New SCCs effective. Organizations can start using the new SCCs starting from this date. 
    • September 27, 2021: The new SCCs have to be implemented for all new contracts with Customers and Vendors starting this date. 
    • December 27, 2022: Data Importers (i.e. HubSpot) and Data Exporters (i.e. HubSpot Customers) have 18 months to replace existing SCCs with the new SCCs. 

     

  • Yes. HubSpot will update the Customer DPA with the new SCCs by September 2021. Between now and then, HubSpot will be working with our sub-processors and other third party services providers to add the SCCs to those agreements.

    • Modular Approach: The new SCCs feature a modular structure of clauses that data exporters (HubSpot Customers) will use based on the nature of their roles and responsibilities in relation to the data transfer in question.
    • Transfer Risk Assessments: The new SCCs require data exporters to document their data transfer assessments. These transfer risk assessments provide additional protections to the transfer in question by assessing the laws of the third country, and to ensure if any supplementary safeguards are needed. 
    • Supplementary Measures: The new SCCs provide a non-exhaustive list of technical  and organizational supplemental safeguards for data transfers for organizations to implement if necessary.   
  • No. Our Customer Terms of Service incorporate our DPA by reference (see Section 5.4). HubSpot agrees to abide by and process European Data in compliance with the SCCs in Section 7(f) of our DPA. The SCCs are set out in Annex 3 of the DPA. As noted, HubSpot plans to update these SCCs by September 2021.

  • No, the EU-US Privacy Shield is invalid as of July 16, 2020.

  • No, this ruling only applies to the EU-US Privacy Shield.

  • No, on June 28, 2021 the European Commission approved a UK adequacy decision. This means organizations can continue to receive data from the EU without having to make any changes to their data protection practices. 

Have additional questions?