On July 16, 2020, the Court of Justice of the European Union (CJEU) delivered a decision examining transfers of data from the EU, referred to as the Schrems II decision.

We appreciate that our customers may have questions about the potential impact of the decision and steps Freshworks is taking to address them. We wanted to take the opportunity to pre-empt and answer some of the most important questions in these FAQs.

 

Q: What did the Schrems II decision say?

A: The CJEU invalidated the EU-U.S. Privacy Shield Framework (Privacy Shield) as a mechanism to facilitate lawful transfers of personal data outside the European Economic Area (EEA) but confirmed that the Standard Contractual Clauses, as previously approved by the European Commission (the SCCs) will remain a valid mechanism.

The CJEU emphasized that controllers must ensure that there are "appropriate safeguards" to provide individuals whose personal data are transferred a level of protection that is "essentially equivalent" to the protection they enjoy in Europe (under the General Data Protection Regulation or "GDPR" and the Charter of Fundamental Rights). The SCCs are one means of achieving this although in some circumstances "additional safeguards" will be needed (see below).

 

Q: What does this mean for transfers to Freshworks under its Privacy Shield certification?

A: Privacy is important to Freshworks. We are continuing to monitor guidance issued by EU Data Protection Authorities and the European Data Protection Board (a body of all the EU regulators). We also await further clarification from the EU Commission and US Government to address some of the more issues raised by the decision at a political level.

However, in the meantime, the decision does not prevent the use of SCCs as a lawful data transfer mechanism. Freshworks is, therefore, transitioning to reliance on the SCCs for its transfer of data out of the EEA to the US and is continuing to rely on the SCCs for other transfers of data out of the EEA.    

Our Data Privacy Addendum (or Data Processing Agreements) appends the SCCs and makes clear that the SCCs apply between our customer (as exporter) and Freshworks (as importer) for the transfer of any personal data from the EEA which is not (or no longer) subject to an adequacy decision (such as the Privacy Shield). Now that transfers of personal data to the US under the Privacy Shield are not deemed adequate, the SCCs automatically apply in place of the Privacy Shield under our Addendum.

Although the Privacy Shield has been determined as an invalid mechanism for transfers of personal data from the EEA, Freshworks is still committed to continuing to process personal data received from the EEA in accordance with the Privacy Shield Principles.

 

Q: What other measures are Freshworks taking to ensure "appropriate safeguards" of European data?

A: Privacy is important to Freshworks. We are continually striving to ensure the upmost protections of all personal data that we process. We await guidance from the EDPB on what additional measures might be required to ensure "appropriate safeguards" of European data, but in the meantime wanted to share the following steps we already take.

1. Security

     a. We pride ourselves in our robust data security and privacy practices, which continually evolve to ensure the protection of our customer's personal data You can read more about our extensive security program and design here.

     b. We are certified with ISO 27001 and we are a member of the Cloud Security Alliance. 

     c. We use AES 256 bit encryption with 1,024 bit key-strength for data at Rest and FIPS 140-2 compliant TLS encryption for data in transit, meaning that it will be intelligible to third parties.

 2. Law enforcement requests

     a. We have strict policies and processes in place to ensure that we will inform customers promptly, as required under the SCCs, if we receive a request from law enforcement or other public authority for disclosure to customer data.

     b.In accordance with our policies and processes, we only provide law enforcement with access to data when legally compelled to do so.

 

Q: I have further questions, where can I direct them?

A: We hope these FAQs serve to alleviate immediate concerns but if you do have any further questions, please feel free to contact your Freshworks account manager or privacy@freshworks.com.