The EU-US Data Privacy Framework
On 10 July 2023, the EU Commission issued a so-called adequacy decision for the US, paired with a new EU-US Data Privacy Framework (“the Framework”).
This means that the US is now considered to ensure an adequate level of protection - comparable to that of the EU - for personal data transferred from the EU to US companies under the Framework.
A US company can participate in the Framework by committing to a set of privacy principles, issued by the US Department of Commerce (“US DoC”). The company needs to publicly declare their commitment to comply with the principles, by entering a specific list held by the US DoC.
Once a US recipient is on the US DoC list, no additional documents or measures are needed to enable the transfer.
Transfers of personal data to US recipients that are not on the US DoC list are also considered substantially less risky than before. However, the EU/EEA-based sender will need to use another instrument recognized by the GDPR to enable the transfer, like entering into so-called EU Standard Contractual Clauses with the recipient.
The UK and Swiss add-on agreements
Since the UK and Switzerland are not part of the EU/EEA, UK-based and Swiss companies do not benefit directly from the Framework. However, both the UK government and Swiss government have been negotiating their own data transfer agreements with the US, that will serve as add-on deals to the Framework.
The purpose of these add-on deals are to allow UK and Swiss companies to rely on the principles agreed under the Framework.
In the past months, US companies have been able to pre-certify under the upcoming UK and Swiss agreements. However, it has not been possible for them to receive personal data based on this certification, until the UK respectively Switzerland issue adequacy decisions of their own.
Now, on September 21 2023, the UK government announced its own adequacy decision for the US. In connection with this, it was also announced that the UK’s add-on deal, called the UK-US Data Bridge, will take effect as of 12 October 2023.
Switzerland has not yet issued a new adequacy decision for the US.
What does this mean for Teamtailor’s service?
As you can see from our list of subprocessors, Teamtailor uses a limited number of US-based and US-owned entities in providing Teamtailor’s service.
Since the start of our cooperation with each subprocessor, we have implemented encryption measures and other security measures, for the transfers of personal data that the cooperation involves. We have also implemented instruments recognized by applicable data protection laws to enable the transfers, like the EU Standard Contractual Clauses.
We plan to keep all security measures we already have in place with our US subprocessors. We also plan to keep the legal instruments we have already entered into with them, as a fallback, even if they certify under a new data transfer agreement.
Nevertheless, we very much welcome the new data transfer agreements: They will make it easier for our EU/EEA-based customers to know and demonstrate that transfers of personal data to our US subprocessors are fully compliant with EU- UK- and Swiss data protection requirements.
Many of our US subprocessors are already certified under the new agreements. We are working closely with each US subprocessor to understand whether they will be certifying under the new frameworks. We are also investigating whether the new certifications will be used as the means of protecting the personal data transferred via us, or whether we will continue to rely on the instruments we already have in place.
We continuously update our Data Transfer Impact Assessment (available on request) to reflect what means of transfer we rely on with each US subprocessor.
If and when we start using a new US subprocessor, we will require that they are either certified under appropriate data transfer agreements, or enter into other recognized instruments with us. We will also continue to require that our US service providers keep high security standards.
For more information
For more general information about the new data transfer agreements, we recommend you to read:
If you have questions concerning the new agreements and your use of Teamtailor’s service, contact our sales representatives, your CSM or firstname.lastname@example.org.