What the July 16, 2020 CJEU Privacy Shield ruling in “Schrems II” and Standard Contractual Clauses mean for HubSpot customers and partners
In our Customer Code, we commit to doing the right thing when it comes to protecting our customers’ data, which includes providing safe, secure, and legal ways for our customers to transfer their data as needed. This isn’t a responsibility we take lightly.
The world of security and data privacy is constantly evolving, as it did on July 16, 2020, when the Court of Justice for the European Union (“CJEU”) issued a ruling that invalidated the EU-US Privacy Shield and held that the Standard Contractual Clauses (SCCs) remain a valid transfer mechanism. On June 4, 2021, when the European Commission adopted an updated set of EU Standard Contractual Clauses (“SCCs”).
On 27 September 2021, HubSpot updated our Data processing Agreement (“DPA”) to include the updated SCCs. The SCCs are incorporated automatically into our DPA and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption.
The Standard Contractual Clauses also referred to as “SCCs'' are a data transfer mechanism issued by the European Commission that organizations can use for cross-border data transfers outside the EU.
On June 4, 2021, the European Commission published and adopted two sets of updated SCCs.
The CJEU ruling, also known as ‘Schrems II’, centers around whether the SCCs and EU-US Privacy Shield are a lawful mechanism for transferring personal data outside of the EU. The CJEU made two key rulings:
HubSpot relies on a number of transfer mechanisms including the SCCs (namely for all transfers to the US) which are incorporated into our online DPA.
On June 4, 2021, the European Commission published and adopted two sets of updated SCCs. The updates to the SCCs align with the GDPR compliance requirements and address some of the issues the CJEU addressed in the Schrems II decision. Effective 27 September 2021, HubSpot updated our DPA to include the new SCCs.
No. Our Customer Terms of Service (“TOS”) incorporate our DPA (which includes the updated SCCs) by reference (see Section 5.4 of our TOS). HubSpot agrees to abide by and process European Data (as defined in our DPA) in compliance with the SCCs in Section 7(f) of our DPA. The updated SCCs are set out in Annex 3 of the DPA.
Although HubSpot does not rely on the EU-US Privacy Shield as a transfer tool under the GDPR anymore for as long as we are self-certified to the Privacy Shield, we will process Personal Data from the EU and Switzerland in compliance with the Privacy Shield Principles (which include Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, Recourse, Enforcement and Liability) as an additional contractual commitment to our customers (and therefore supplementary contractual measure as required by the European Data Protection Board (“EDPB”)). More information on HubSpot’s Privacy Shield Certification (EU-U.S. and Swiss-U.S.) is available here.