Privacy and Data Protection
Questions and Answers for NAVEX Global Customers
Q: What are the New SCCs?
A: The New SCCs are a set of contract terms created by the European Commission to legitimize the transfer of personal data from the EU. The new SCCs incorporate GDPR-required terms and provide for a modular approach. The applicable modules for NAVEX Global’s services are the New Controller to Processor module for transfers between our customers and our US based entity, NAVEX Global, Inc., and the Processor to Processor module for transfers between NAVEX Global and its affiliates and sub-processors. More details on the New SCCs are available on the European Commission’s website here.
Q: How do the New SCCs impact or affect the Schrems II decision?
A: The New SCCs provide clarity for organisations that transfer personal data outside of the EU following last year’s Court of Justice of the European Union’s (CJEU) ruling in the Schrems II decision. Most significantly for our customers, organisations may decide to proceed with the transfer without supplementary measures, if they consider there to be no reason to believe that the relevant and problematic legislation (those in the U.S. in this instance) will be applied, in practice, to the transferred data and/or NAVEX Global. A key factor for companies to consider is the absence of previous requests from public authorities. This approach aligns with both the GDPR’s risk-based approach to compliance and the requirements of the CJEU’s Schrems II ruling. To this point, NAVEX Global has never received a FISA or EO 12.333 request, as scrutinized by the court’s decision.
Q: How do the New SCCs apply to my contracts with NAVEX Global?
A: For those applicable customers contracted directly with our US-based entity, NAVEX Global, Inc., it is our interpretation the New Controller to Processor SCCs apply, regardless of your hosting location.
For those EU-hosted customers contracted with our European entities, NAVEX Global UK Limited or GCS Compliance Services Europe Unlimited Company, it is our interpretation the New Controller to Processor SCCs do not apply (due to the United Kingdom’s adequacy decision). We have appropriate New Processor to Processor SCCs in place to care for the transfers taking place via our affiliates and sub-processors. Regardless, we are here to support our customers with their compliance efforts and are happy to enter into those New Controller to Processor SCCs at your discretion.
Q. If my product/service with NAVEX Global is EU Hosted, are the SCCs necessary?
A. As noted above, NAVEX Global’s EU/UK operating structure (including limiting hosting and storage to within the EU, and using UK personnel to support and maintain the service) renders the New Controller to Processor SCCs inapplicable to the vast majority of our EU and UK customers. Under limited and temporary circumstances, select NAVEX Global personnel may have access to the EU hosted database. Such access is remote, subject to all of NAVEX Global’s stringent security requirements, provided to those on a strict need-to-know basis, and is non-routine and temporary to provide the required function. To legitimize such access, NAVEX Global has the New Processor to Processor SCCs in place between its European entities and its affiliate based in the US.
Q: What does this mean for my company using NAVEX Global products and services?
A: To ensure that transfers of personal data from the EU to the US can occur in line with European data protection laws, we will enter into these New SCCs with our customers upon request. While the New SCCs came into force 27 June 2021, organisations have an 18-month grace period to replace the old standard contractual clauses with the New SCCs for existing contracts. However, NAVEX Global understands existing data processing agreements will need to be updated and understands the importance in supporting our customers with this update. We have been supporting customers with the New SCCs since before 27 September 2021 and have implemented a streamlined process for customers to execute them. Any customer wishing to enter into the New Controller to Processor SCCs can see instructions on how to do so below.
Q: How does my company incorporate the New SCCs into my NAVEX Global contract?
A: You should complete, sign and submit the New SCCs via the e-signature process detailed in the following link: HERE. The New SCCs, by its terms, will be incorporated into your existing agreement with NAVEX Global.
Q: Does NAVEX Global maintain Schrems II compliance documentation in addition to the New SCCs?
A: Yes. Please visit our NAVEX Global Community to access our current Post Schrems II Customer Assurance Guide, which provides you all of our Schrems II compliance information, including Transfer Risk Assessments.
Q: What should I do if I have additional questions?
A: Please contact email@example.com and we will be happy to assist you.