What is an International Transfer of Personal Data?
There is an international transfer of personal data (“International Transfer”) when such data is made available outside the European Economic Area (“EEA”). International Transfer may include the storage of personal data in a country outside the EEA but also the access to personal data stored in the EU from subprocessors located outside the EEA (e.g., for support services).
What are the European Commission’s Standard Contractual Clauses?
The European Commission’s standard contractual clauses (“SCCs”) are legal contracts entered into between parties that are transferring EU personal data outside of the EU to countries that lack adequate or equivalent data protection. The initial standard contractual clauses for controller-to-processor transfers were drafted and approved by the European Commission in 2010. Following the Schrems II decision, the European Commission drafted new standard contractual clauses to incorporate the requirements of GDPR and the Schrems II decision. The new SCCs were subject to consultation until December 10, 2020 and their final version was published on June 7, 2021. The European Commission grants companies a transitional period of 18 months to implement the new SCCs into their existing contracts. Smartsheet’s updated DPA incorporates the recently adopted new SCCs.
For those customers with older agreements that do not include reference to the SCCs or include the prior version of the SCCs, we encourage you to review the updated DPA. If you have determined that you require an updated DPA with Smartsheet, you may submit a form agreeing to the terms of the DPA here. By submitting the form, a copy of the DPA will be routed via DocuSign to the authorized signer entered into the form. Once signed, a copy will also be sent to the individual who submitted the form for their records.