What the July 16, 2020 CJEU Privacy Shield ruling and new Standard Contractual Clauses mean for HubSpot customers and partners
In our Customer Code, we commit to doing the right thing when it comes to protecting our customers’ data, which includes providing safe, secure, and legal ways for our customers to transfer their data as needed. This isn’t a responsibility we take lightly.
The world of security and data privacy is constantly evolving, as it did on July 16, 2020, when the Court of Justice for the European Union (CJEU) issued a ruling that invalidated the EU-US Privacy Shield and held that the Standard Contractual Clauses (SCCs) remain a valid transfer mechanism. And again on June 4, 2021, when the European Commission adopted a new set of SCCs.
The good news is that we were prepared for this – transfers of HubSpot customer data from the EU are already covered by "old" the SCCs, and HubSpot plans to transition to the “new” set of SCCs by September 2021. Since the GDPR went into effect in 2018, our Data Processing Agreement (DPA), which is incorporated into our Customer Terms of Service, has included both the Privacy Shield and SCCs as the legal mechanisms to transfer customer data from the EU. This ensured that our customers had multiple options for secure data transfers.
Although the Privacy Shield is no longer relied upon, the SCCs automatically apply and ensure that data is safely transferred from the EU, so our customers and partners can continue to use HubSpot without disruption, seamlessly transitioning to the new set of SCCs starting September 2021.
HubSpot relies on the European Commission's standard contractual clauses (or SCCs) which are included in our Customer Data Processing Agreement.
The CJEU ruling, also known as ‘Schrems II’, centers around whether the European Commission's standard contractual clauses and EU-US Privacy Shield are a lawful mechanism for transferring personal data outside of the EU. The CJEU made two key rulings:
The standard contractual clauses “SCCs'' are one of the data transfer mechanisms that organizations can use under the GDPR for cross-border data transfers.
On June 4, 2021, the European Commission published and adopted two sets of updated SCCs. The updates to the SCCs align with the GDPR compliance and address some of the issues the CJEU addressed in the Schrems II decision.
Key dates for implementing the new SCCs are outlined below:
Yes. HubSpot will update the Customer DPA with the new SCCs by September 2021. Between now and then, HubSpot will be working with our sub-processors and other third party services providers to add the SCCs to those agreements.
No. Our Customer Terms of Service incorporate our DPA by reference (see Section 5.4). HubSpot agrees to abide by and process European Data in compliance with the SCCs in Section 7(f) of our DPA. The SCCs are set out in Annex 3 of the DPA. As noted, HubSpot plans to update these SCCs by September 2021.
No, the EU-US Privacy Shield is invalid as of July 16, 2020.
No, this ruling only applies to the EU-US Privacy Shield.
No, on June 28, 2021 the European Commission approved a UK adequacy decision. This means organizations can continue to receive data from the EU without having to make any changes to their data protection practices.