We have taken a number of measures in order to comply with the Schrems II ruling, which invalidated EU-US Privacy Shield as a legitimate way of transferring data between the EU and the US. The measures we have taken to ensure legality of US data transfers are the following:
What are the Standard Contractual Clauses?
The European Commission’s Standard Contractual Clauses are legal contracts entered into between parties that are transferring EU personal data outside of the EU. On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
Knowly has included the mutual acceptance of these modernised Standard Contractual Clauses as legal basis for the transfer of EU personal data to our services as part of our Data Processing Agreement.
Does Knowly have subprocessor agreements in place which cause personal information to be transferred to the United States or other third countries? If so, what types of personal information is affected?
We use Heroku (Salesforce) and Amazon, both of which are US companies. The personal data transferred may include name, email, and/or phone number, device data (computer model name and version, web browser name and version) and geolocation data (IP address). The risk of transferring this level of personal data is low, and we have conversations in place with both providers to understand their technical and organisational security measures in place against exposure for purposes outside of the service agreement.
Below are some of the resources provided by the subprocessors in regards to EU data transfer, and specifically in regards to US government requests for personal data.