essensys’ Data Processing Addendum and Transfers of European Personal Data

At essensys, trust is one of our core values and nothing is more important than the success of our customers and the privacy of our customers’ data. We have a robust privacy program designed to meet the highest standards in the industry. essensys’ data processing addendum incorporates binding corporate rules, the EU-U.S. Privacy Shield and the European Commission’s standard contractual clauses.

What are binding corporate rules, the EU-U.S. Privacy Shield, and the EU standard contractual clauses?

Binding corporate rules (or “BCRs”) are company-specific, group-wide data protection policies approved by European data protection authorities to facilitate transfers of personal data from the European Economic Area (“EEA”) to other countries. BCRs are based on strict privacy principles established by European Union (“EU”) data protection authorities and require intensive consultation with European data protection authorities. Additional information about BCRs is available at the European Commission’s Web site.

The EU-U.S. Privacy Shield is a framework designed by the U.S. Department of Commerce and the European Commission to provide companies with a mechanism to comply with European data protection requirements when transferring personal data from the EU to the U.S. Companies may self-certify to comply with the EU-U.S. Privacy Shield framework, and compliance is subject to oversight and enforcement by the U.S. Federal Trade Commission.

The EU standard contractual clauses are legal contracts entered into between contracting parties who are transferring personal data from Europe to other countries located outside the EEA. The standard contractual clauses were drafted and approved by the European Commission.

How does essensys’ data processing addendum benefit my company?

essensys’ data processing addendum gives our customers contractual assurance that essensys has multiple legal mechanisms to help customers validate transfers of personal data from the EEA to essensys’ services.

To which services do the essensys Processor BCR, the EU standard contractual clauses, and essensys’ certification to the EU-U.S. Privacy Shield apply?

The essensys Processor BCR applies to data submitted to essensys’ services branded as Operate and Connect. Customers using services not within the scope of the Essensys Processor BCR, as well as customers who are in jurisdictions that do not yet recognize BCRs or who have not completed locally required formalities, may take advantage of essensys’ certification under the EU-U.S. Privacy Shield for the services described here, or may use the EU standard contractual clauses to legalize the international transfer of European personal data to essensys’ services. The Privacy Shield framework applies automatically to services within the scope of essensys’ certification, and the standard contractual clauses continue to be incorporated into essensys’ data processing addendum for these situations.

How does my company incorporate essensys’ data processing addendum into my essensys contract?

Customers may complete, sign and return the data processing addendum to privacy@essensys.tech.

Does last year’s European Court of Justice decision regarding the EU-U.S. Safe Harbor Framework impact the Essensys Processor BCR, the EU standard contractual clauses, or the EU-U.S. Privacy Shield?

On October 6, 2015, the European Court of Justice determined that the EU-U.S. Safe Harbor does not provide a legal basis for transfer of personal data from Europe to the U.S. Additionally, the European Court of Justice confirmed that EU member state data protection authorities have authority to question the validity of data transfer mechanisms. On October 16, 2015, the Article 29 Working Party confirmed that both standard contractual clauses and BCRs remain valid legal mechanisms for transferring personal data from the EU. This has also been reiterated by the European Commission in a November 4, 2015 communication to the European Parliament and the Council of the EU. On July 12, 2016, the EU and the U.S. formally entered the EU-U.S. Privacy Shield, a new framework intended to replace the EU-U.S. Safe Harbor. The U.S. Department of Commerce has accepted essensys’ self-certification under the new framework for the services described here. The Privacy Shield framework further strengthens transfers of EU personal data to the U.S. by offering new commitments from the U.S. government regarding protection of data belonging to EU citizens, including the creation of an ombudsperson role to oversee governmental requests for access to personal data. This complements recent changes to U.S. law including the passage of a redress act giving EU citizens access to U.S. courts to enforce privacy rights.