By Desiree Robinson, Director of Information Security and Compliance
On July 7, the Court of Justice of the European Union (ECJ) invalidated the EU-US Privacy Shield framework in its ruling in Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems (Case C-311/18). Because of our commitment to data privacy and security, this did not impact a single Alchemer customer.
This ruling does affect about 5,300 companies, which have been certified to adhere to the Privacy Shield framework. However, Alchemer did not rely solely on the Privacy Shield membership for GDPR compliance, we have always executed standard contractual clauses with our EU customers. We have maintained a data center in the EU (specifically in Germany), and made our application GDPR-compliant. This data center is where all data from EU citizens is held safely and securely. We also recently opened an EU Support Center.
What Does Invalidating EU-US Privacy Shield Mean?
When the European Court of Justice (ECJ) invalidated the Privacy Shield standard, it was protecting EU citizens’ rights, given that the United States surveillance laws violated EU regulations. The ruling states that the level of data protection in the country where data is being transferred has to be equivalent to that in the European Union. If not, the authorities will proactively suspend or prohibit transfers of personal data. This ruling does not just apply to the United States, but also countries such as Russia, China, and India.
Companies who did not take a similar approach as Alchemer may need to rewrite their business contracts with European customers, and possibly update their End User License Agreements (EULA). These companies will likely need to demonstrate how any data centers outside of the EU meet the GDPR privacy and related security obligations, on a regular and ongoing basis.
Failure to comply could result in a fine of up to four percent of the company’s global revenue.
For customers in Switzerland, the Swiss-USA Privacy Shield is still in place and we maintain a membership with the Swiss-US Privacy Shield organization.
What Additional Steps Has SurveyGizmo Taken?
Alchemer protects all data to the highest standards. Our protection exceeds the requirements for both GDPR (for EU citizens) and CCPA (for California residents). To better serve our European customers we recently opened European-based support capabilities.
Although the EU-USA Privacy Shield have been struck down by the courts, SurveyGizmo still offers the same level of privacy and security as before. Our application and all our data centers — in the EU, USA, and Canada — are completely GDPR and CCPA-compliant.
Five Ways to Determine if Your Vendors Meet GDPR Requirements
Check to see if your data vendor has:
- GDPR-compliant data centers in the EU: If the vendor offers EU-based data centers there may not be a Privacy Shield related concern. You’ll just want to verify the data remains in the EU and cannot or will not be transferred away without your knowledge or consent.
- GPDR-related features or capabilities: At Alchemer, we have enabled application features to ensure our customers meet their own GDPR compliance requirements, like inserting their own Privacy Notice, gathering consent, and implementing data retention policies per survey. Can your other vendors provide similar assurances?
- Contracts and agreements with standard contractual clauses and/or Data Processing Agreements: If your data vendors struggle with agreeing to, or meeting your privacy obligations or concerns, this is a red flag, and you should consider migrating your business elsewhere. The privacy requirements within the GDPR are quickly becoming the world standard and is essentially the right thing to do for their customers regardless of where the customer is located.
- A public-facing privacy policy for review: Always look for, read, and seek to understand the vendor’s privacy policy regarding your data. It should specify what they do/don’t do with your data, options for you to seek additional information, and contact information of their EU based legal entity.
- Ways to exercise your data subject rights requests: A great practice for you to test the vendor’s ability to meet your data subject rights request is to submit one for the data they hold about you or your business. If they provide you the information you expect in the required time limit, then you can be sure their process is current and sufficient. If there are back and forth questions, concerns, delays, or suspected issues with the data request then it is a safe assumption the requirement is not being met appropriately.
The Net-Net for You
Alchemer has and always will provide our customers with an option to store their data in our EU data center. As long as you maintain your EU account, the data is not carried across to the USA without your permission, and only for support purposes.
Our application features have advanced privacy notice and opt-in consent capabilities, and Alchemer customers can also use our platform to help them comply with other GDPR requirements. Account administrators can easily include necessary consents within their surveys. In the event a customer of Alchemer needs to retrieve the respondents’ consent, this is easily done via the platform through the account administrator.
Additionally, Alchemer performed a SOC2 Type I audit in 2019 and is underway with a SOC2 Type II audit. We are also working toward an ISO 27001:2013 certification to provide our customers with the highest levels of confidence that their data is secure and safe.
At the end of the day, nothing changes for Alchemer customers. As you have seen in your experience with us, the Alchemer approach has always been to go above and beyond to protect your data.
