Frequently Asked Questions on Data Transfers

1. What did the Court of Justice of the European Union (CJEU) rule in the Schrems II judgment? 
On 16 July 2020, the CJEU issued a ruling regarding the EU-US Privacy Shield Decision and Standard Contractual Clauses. 

The CJEU ruled the Privacy Shield invalid. This means that data transfers from the EU to the USA based on the Privacy Shield became illegal and companies’ relying on the Privacy Shield must find an alternative transfer mechanism to continue transfers between the EU and the USA. However, in the same ruling, the CJEU confirmed that the Standard Contractual Clauses (SCC), also known as model clauses, remain as a valid transfer mechanism for transfers outside of the EU. 

2. Why has the Privacy Shield been deemed invalid? 
The CJEU considered that the risks to individual privacy arising from US surveillance law (Section 702 FISA and EO 12333) enabling access to personal data by US public authorities for national security purposes mean that the requirements of the GDPR and the EU Charter are not met.  

3. What did the CJEU said about Standard Contractual Clauses? 
The CJEU ruled that the Standard Contractual Clauses (SCC) remain a valid transfer mechanism under the GDPR but that supplementary measures may be required when adequate data protection cannot be ensured by way of SCC alone due to access to personal data by public authorities in the third country. 

4. What Lumoame has done as a result of the CJEU’s ruling? 
We have assessed our global data flows carefully and contacted our sub-processors to ensure that transfers outside of EU/EEA remain lawful. For more information about our data flows, please see our updated list of our sub-processors and their location here.  

5. Does Lumoame transfer customers’ personal data to USA or other third countries? 
Lumoame processes personal data within the EU/EEA. 

However, one of our sub-processors processes personal data outside of EU/EEA. Lumoame has decided to stop using that sub-processor by end of March 2021. 

Our sub-processor Intercom is a US-based company who provides support services to us. While providing services to us, Intercom has access to email addresses of our service users. This limited amount of personal data (email addresses) is processed in the USA. No other personal data is accessed or otherwise processed by us or our sub-processors in the USA or in other third countries outside of EU/EEA. 

We also use other US-based service providers, such as Microsoft and MongoDB Atlas. However, all personal data processed by them is stored and processed within the EU/EEA. Lumoame has a paid subscription explicitly prohibiting transfer of data outside of EU/EEA. 

You can find a full list of our sub-processors and their location here

6. What transfer mechanism does Lumoame use when transferring personal data outside of the EEA? 
Lumoame has the Standard Contractual Clauses (SCC) in place with its sub-processor Intercom who processes personal data in the USA.

Lumoame uses a sub-processor Enuvo GmbH in Switzerland. The European Commission has assessed the level of data protection in Switzerland equivalent to the level in the EU (“adequacy decision”). This means that transfers of personal data to Switzerland are treated similarly to intra-EU transmissions of data.

7. What kind of supplementary measures are in place to ensure lawful transfers? 
The data processing addendum and SCC in place between Lumoame and Intercom provide a set of legal and technical security measures to ensure lawful data transfers to the USA. In line with the CJEU’s ruling, these measures include data encryption in transit, notification obligation in case of law enforcement request as well as the right to suspend data transfers in case of non-compliance with the SCC. 

8. Is Lumoame (or its vendors) subject to US law enforcement requests?
Lumoame is not subject to law enforcement requests in the USA. Our sub-processor Intercom has also confirmed that they have not received US law enforcement requests under Section 702 FISA or EO 12333. 

9. What can we expect next? 
The European Data Protection Board (EDPB) is currently analyzing the CJEU’s judgment in detail and will provide further guidance on the ruling and supplementary measures that could be taken to supplement SCC. 

We are committed to ensuring that our customers’ personal data remain protected and will follow new guidance provided by competent data protection authorities in the EU. 

10. How can I obtain more information? 
If you have any questions regarding this document, you can contact us at privacy@lumoa.me