Addigy & EU Data Protection

Addigy supports all customers that operate in the Europe Economic Area and has made a number of changes to ensure current and ongoing compliance with all EU Data Protection Laws, including the General Data Protection Regulation (GDPR).

General Data Protection Regulation

Privacy by Design

The Addigy Privacy Policy reflects our commitment to protecting customer data and maintaining a security-first culture. Addigy is committed to complying with all relevant regulatory frameworks, as well as ensuring our Privacy by Design framework extends to all areas of the Addigy application(s).

GDPR

Addigy has undergone a rigorous review process to assess where and how our relevant services collect, use, store and dispose of personal data and have updated our policies, standards, governance and documentation accordingly.

Addigy has released a Data Processing Addendum (DPA) with provisions to assist our partners and customers with their GDPR compliance.

Addigy has updated its DPA to reflect the Court of Justice of European Union (CJEU) new 2021 Standard Contractual Clauses.

All Addigy employees complete GDPR-specific training and conduct ongoing awareness initiatives on a variety of topics including data protection, security, and privacy.

Privacy Shield Frameworks

Privacy Shield frameworks were designed to provide companies in Europe, the U.K., and the US with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

In July of 2020, the CJEU determined these Frameworks no longer provide an adequate transfer mechanism for the European Union.

However, Addigy remains certified to both the EU-U.s Privacy Shield and Swiss-US Privacy Shield Framework programs as set forth by the Department of Commerce.

More information on these frameworks.

Addigy is certified for both the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
Review our Privacy Shield Framework Certifications.

Data Processing Agreement

Review Addigy’s Data Processing Agreement (DPA)

Addigy GDPR Whitepaper

Read more information about how your organization can leverage Addigy to support GDPR compliance.

Request For Deletion

Contact us to submit a request for deletion.

 

Frequently Asked Questions (FAQ)

 

Why did Addigy update the Data Protection Addendum? (DPA)

Addigy’s DPA was updated primarily to incorporate the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA). These new SCCs are meant to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II. We also took this opportunity to revise and reformat our DPA to make it easier to read and understand. These new SCCs replace the 2001, 2004, and 2010 SCCs currently in use.

What do you need to do?

For those customers subject to our Online DPA, no action is required. The updated DPA will automatically become part of your agreement with us effective September 27, 2021. 

If you have negotiated a separate DPA with Addigy, which includes the prior version of the SCCs, those SCCs will remain in place and effective until December 27, 2022.  If you would like to update them prior to December 27, 2022, please reach out to your Addigy Account Representative or email [email protected].  We are happy to accommodate your request to update to our new DPA at any point before or at your next renewal.

Did we make other changes to the DPA?

Yes and no. Our DPA integrates the requirements of the SCCs in a manner that does not allow us to simply strip out the prior version SCCs to be replaced with the new SCC module format, and more granular requirements of the new SCCs. 

So, yes, we have made many changes to the DPA to make it an easier to read and understand document for all of our global customers (for example, moving EU-specific clauses to separate appendices), but also no, in that we have not made any substantive changes other than those related to the new SCCs.

When is the updated DPA effective?

The updated DPA will be automatically effective on September 27, 2021 for all Addigy customers that have agreed to the terms of our Online DPA. New transfers (i.e. new contracts) made after September 27, 2021 must use the new SSCs because the prior versions of the SCCs are repealed effective as of this date.

I have negotiated the terms of my DPA directly with Addigy (i.e., I am not subject to the standard online DPA terms). Do I need to update my DPA to account for new SCCs and when?

Yes, but there is a grace period. If you have negotiated a separate DPA with Addigy that includes the prior EU-approved version of the SCCs, those SCCs will remain in place and effective until December 27, 2022.  If you would like to update them prior to December 27, 2022, please reach out to your Addigy Account Executive.  We are happy to accommodate your requests to update to the new DPA at any point before or at your next renewal.

What changes do the EU’s new SCCs contain?

As mentioned above, the European Commission updated the SCCs to address more complex processing activities that exist in today’s world, the requirements of the GDPR, and the Schrems II decision, including requirements to apply additional transparency and notification controls covering government access requests, and to carry out and document an assessment of the laws of the third country to confirm that the local law in the importing country does not prevent Addigy’s compliance with the terms in the SCCs.

The new SCCs are also modular so they can be tailored to the type of transfer. The prior version of the SCCs applied only to controller-controller and controller-processor transfers of personal data from the EU to countries without an adequacy decision by the European Commission. The updated clauses are expanded to also include processor-processor and processor-controller transfers.

When are SCCs applicable to me as a customer?

Addigy relies on SCCs to transfer personal data outside the EEA, UK and Switzerland to the United States. This means that if you are using the Addigy Services to transfer personal data originating from the EEA, the UK, and/or Switzerland, then the SCCs are the valid transfer mechanism to make such transfers.

Do the new SSCs apply to transfers of personal data from the UK to the US?

No. The original SCCs will continue to apply to transfers of personal data from the UK to the US until the UK recognizes the European Commission’s new SCCs or adopts its own version. For more information about UK data transfers, please view the ICO website on SCCs and data transfers here