International Transfers of EU Personal Data to Task Analytics Services

International Transfers of EU Personal Data to Task Analytics Services

Updates to the Task Analytics Data Processing Agreement


Task Analytics has taken a number of measures to legalize the transfers of EU personal data to Task Analytics services in light of the July 16, 2020 decision of the Court of Justice of the European Union (“CJEU”).

The decision made by the CJEU confirmed the validity of the European Commission’s standard contractual clauses as a legal mechanism for the transfer of EU personal data, but invalidated the EU-US Privacy Shield framework. This means that companies may no longer rely on the EU-US Privacy Shield framework to transfer EU personal data to the US. Task Analytics took the following steps so that our customers may continue to use our services by completing the Task Analytics Data Processing Agreement

  1. Review of Service Providers - Task Analytics has conducted a full audit of current subprocessor Data Processing Agreements in order to determine the EU legality of data transfer down the subprocessing chain, and confirm that we have agreements in place with subcontractors based on the EU SCC's. The full list of subprocessor's that TA uses can be found in Appendix II of the Data Processing Agreement. 

  2. Changes in service providers - Task Analytics has made efforts to cease using service providers that transferred or processed data in the US, to minimize the risk or protection to sub-processed data further down the chain. For those companies that process data in the EU but are US companies, we've reached out and confirmed the specifics of data transfer security and the law upon which the transfer is based.

  3. Updated DPA with the EU's Standard Contractual Clauses - Task Analytics had previously used the Privacy Shield for the basis of transfers to the United States. We've now updated Section 5.3 of the Data Processing Agreement with the EU Standard Contractual Clauses as the basis for transfers, based on the requirements set forth by Article 26(2) of Directive 95/46/EC. We've also added the SCC's with appropriate appendices all of which subcontractors are required to sign as part of the TA Data Processing Agreement.

FAQ


What are the Standard Contractual Clauses?

The European Commission’s Standard Contractual Clauses are legal contracts entered into between parties that are transferring EU personal data outside of the EU. The standard
contractual clauses were drafted and approved by the European Commission in 2010. Task Analytics has included the mutual acceptance of these the Standard Contractual Clauses as legal basis for the transfer of EU personal data to Task Analytics services as part of the Task Analytics Data Processing Agreement.

Does Task Analytics have subprocessor agreements in place which cause personal information to be transferred to the United States or other third countries? If so, what types of personal information is affected?

Task Analytics uses Heroku (Salesforce) and ArangoDB, both of which are US companies. The personal data transferred may include Task Analytics customer name, email, and application login password (stored securely in hashed form), device data (computer model name and version, web browser name and version) and geolocation data (IP address). The risk of transferring this level of personal data is low, and Task Analytics has conversations in place with both providers to understand their technical and organizational security measures in place against exposure for purposes outside of the service agreement. 

Below are some of the resources provided by the subprocessors in regards to EU data transfer, and specifically in regards to US government requests for personal data.

Salesforce 

Task Analytics uses Salesforce service Heroku to build the client application which is part of the Task Analytics service. 

Salesforce has documented a set of principles in place should the company receive a government request for customer data, and employs a set of subprocessor Binding Corporate Rules that are focused on GDPR compliance, transparency, and mitigating risk of infringing on customers personal data.
  1. International Transfers of EU Personal Data to Salesforce's Services: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/EU-Data-Transfer-Mechanisms-FAQ.pdf  (July 2020)
  2. Salesforce’s Principles for Government Requests for Customer Data: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/salesforces-principles-for-government-requests-for-customer-data.pdf (July 2020)
  3. Salesforce Binding Corporate Rules: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf (Feb 2021)

    • Related Articles

    • Personal Data Transfer and processing activities

      Categories of Personal Data The categories of personal data and categories of data subjects whose data is processed with Task Analytics are: The personal data processed may concern the following categories of data: - Computer Device data - Contact ...

    • Task Analytics and GDPR

      Task Analytics is committed to the security of your data and protection for the privacy of your clients. All data is stored and hosted in the European Union (The Netherlands, Belgium and Ireland). In GDPR-terms, you are the controller, Task Analytics ...

    • Analyzing Task Analytics data in Google Analytics

      You've finished the integration of Task Analytics and Google Analytics. Great! Now it's time to analyse the Task Analytics in Google Analytics. Create segments, filter data based on completion scores, segments or audiences.  Google Analytics 3rd ...

    • What Task Analytics data is sent to Google Analytics?

      If you’re using Task Analytics and have enabled the 3rd integration with Google Analytics, you’ll be able to analyze WHY visitors visit your website in your preferred web analytics tool. Segments based on task & task completion  The integration ...

    • Backup of data

      You are responsible for maintaining, protecting, and making backups of your data. To the extent permitted by applicable law, Task Analytics will not be liable for any failure to store, or for loss or corruption of your data. Export your data Users ...