What the July 16, 2020 CJEU Privacy Shield ruling means for HubSpot customers and partners
In our Customer Code, we commit to doing the right thing when it comes to protecting our customers’ data, which includes providing safe, secure, and legal ways for our customers to transfer their data as needed. This isn’t a responsibility we take lightly.
The world of security and data privacy is constantly evolving, as it did on July 16, 2020, when the Court of Justice for the European Union (CJEU) issued a ruling that invalidated the EU-US Privacy Shield and held that the Standard Contractual Clauses (SCCs) remain a valid transfer mechanism.
The good news is that we were prepared for this – transfers of HubSpot customer data from the EU are already covered by the SCCs. Since the GDPR went into effect in 2018, our Data Processing Agreement (DPA), which is incorporated into our Customer Terms of Service, has included both the Privacy Shield and SCCs as the legal mechanisms to transfer customer data from the EU. This ensured that our customers had multiple options for secure data transfers.
Although the Privacy Shield will no longer be relied on going forward, the SCCs automatically apply and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption.
The CJEU ruling, also known as ‘Schrems II’, centers around whether the European Commission's standard contractual clauses and EU-US Privacy Shield are a lawful mechanism for transferring personal data outside of the EU. The CJEU made two key rulings:
No. Our Customer Terms of Service incorporate our DPA by reference (see Section 5.4). HubSpot agrees to abide by and process European Data in compliance with the SCCs in Section 7(f) of our DPA. The SCCs are set out in Annex 3 of the DPA.
No, the EU-US Privacy Shield is invalid as of July 16, 2020.
No, this ruling only applies to the EU-US Privacy Shield.