International Data Transfer

What are the rules governing the transfer of personal data to text|?

We value your privacy and we are committed to protecting your information.

What that means for you?

The transfer of personal data is an important part of our service. If you want to better understand the rules and conditions in which we secure the transfer of your personal data, this document is for you.

We ensure that any transfer of personal data from the European Economic Area (EEA) and the United Kingdom (the UK) to us is performed under the conditions outlined in our Data Protection Addendum (DPA) as one of the most common ways of achieving cross-border data transfers in compliance with the data protection laws. 

With respect to how Text, Inc. (text|) processes your data (including personal data) and shares it with sub-processors please note that we have access to your data and your customer data (including personal data) in accordance with our Terms of Use and Privacy Policy which we kindly suggest familiarizing yourself with.

As a Client - what should I keep in mind before transferring personal data to text|? 

text|, as the processor of your data under your account (including the personal data of your end-users (i.e. visitors to your website where our product is implemented), needs to be sure that for the entire duration of your subscription to our products, you have a legal basis for collecting, processing and transferring the data of your end-users to our products to enable us the fulfillment of our obligations pursuant to the Agreement. Please remember, that the consent of your end-users to have their personal data processed by you and transferred to us should always be lawfully collected by you. It’s important, as we can only provide our services to you if you, as an  owner of data contractually confirm to us that you have a continuing legal basis for collecting, processing end-users data when chatting with you and transferring it to us to provide you with the services you subscribed for.

Any legal assistance you may need with the lawful transfer of personal data from you to us should be discussed with your legal advisor who knows your organization, purposes and your local regulations.

Do text| products make it easier to collect consent from clients’ end-users?

Yes. Our products are built with customer security and privacy in mind. As a global service provider, we allow you to adjust the chat window to the legal data protection obligations you may be subject to in order to capture the necessary consent from your end-users and facilitate your use of our product in a legit way. Want more information about how to prepare your chat to be GDPR,  CCPA and UK GDPR compliant? Go to consent settings.

What EU-US changes are coming up after EU-US Data Privacy Framework and Adequacy Decision?
In a significant stride, on July 10, 2023, the European Commission marked a milestone by endorsing an adequacy decision for the EU-US Data Privacy Framework (EU-US DPF). This endorsement formally affirms the data privacy protections introduced by President Joe Biden’s October 2022 Executive Order, aimed at securing the cross-Atlantic transfer of personal data from the European Union to the United States. The full effect of this momentous decision commenced on the same date: July 10, 2023.

This pivotal adequacy decision signifies more than just a passing of the torch from the EU-US Privacy Shield Framework; it declares, with unwavering conviction, that the United States provides an equivalent level of safeguard for personal data. This acknowledgment spans data transferred from the EU/EEA and UK to US entities participating in the framework.

Below you will find the necessary information about the currently applicable mechanisms for transferring personal data from your location to us, so that you can be more aware of what legal standards we apply to the processing of your end-users data when you transfer it from the EU/EEA and the UK to the US.

Navigating global data transfers and the concept of adequacy.

In the context of international data privacy regulations, particularly those enshrined in European law, the transfer of personal data to other destinations are allowable only when the destination jurisdiction is deemed “adequate” or if the entity initiating the transfer can demonstrate safeguards that ensure an equivalent level of data protection.

When a jurisdiction is deemed adequate, it signifies an open pathway for the seamless transmission of personal data from the evaluating jurisdiction to the adequate one, and to entities within that jurisdiction, unencumbered by the need for supplementary mechanisms.

What is text|’s approach to international transfers of personal data?

text| has taken proactive steps to ensure the legitimacy of transferring personal data outside of Europe, aligning with global data protection principles and frameworks. By achieving certification under the EU-US Data Privacy Framework (EU-US DPF), text| has obtained “adequacy” status, a recognition that the US guarantees an appropriate level of data protection for data transfers via text| services. As a result, these cross-border data transfers can be treated with the same level of confidence as intra-EU transmissions of data.  For more in-depth information, please refer to text|’s certification.

text| offers a range of transfer mechanisms, recognized as “appropriate safeguards,” that serve to legitimize the transfer of personal data. One such mechanism is the use of Standard Contractual Clauses (SCCs), legally binding contracts entered into by parties engaged in the transfer of personal data to third countries. text|’s commitment to data protection extends beyond just legal measures – additional technical, organizational, and contractual measures have been put in place, as outlined here.

text|’s comprehensive approach with offering complex transfer mechanisms and additional measures as well as EU-US DPF certification underscores text|’s dedication to ensuring the safety and privacy of data in the context of international transfers, aligning seamlessly with evolving data protection frameworks and regulatory standards.

We are located in Europe. Can we transmit personal data outside the EU to text|?

Yes. text| complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (The General Data Protection Regulation – GDPR). It means that we are committed to subjecting all personal data received from European Union (EU), European Economic Area (EEA) and Switzerland in reliance on the GDPR. To learn more about our GDPR compliance, please visit our data protection- faq.

How does text| comply with the GDPR when there is a transfer of Personal Data from the EU/EEA?

As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU. 

We are located in the United States therefore, to facilitate EU/US cross-border data transfers a cornerstone of our strategy is the recent milestone of an adequacy decision, which carries profound significance. This decision serves as an official replacement of the EU-US Privacy Shield Framework, solidifying our role in safeguarding data privacy and security. and we rely on adequacy decision marks the official replacement of the EU-US Privacy Shield Framework as well as on the SCCs approved by the European Commission that offers sufficient safeguards on personal data protection to be transferred internationally from the EU/EEA to the US. 

How are SCCs executed by text|? 

We have included the new SCCs (Module II) in our DPA which allows both text| and its customers to comply with the GDPR regulation when there is a cross-border transfer of personal data from EU/EEA to us. Module II pertains to the transfer from the controller (the owner of the data - that is you) to the processor (a service provider that is contracted to process the data on behalf of the controller - that is us) and is presented as Exhibit C to our DPA.

Can transfers of personal data be validly made to and from the UK to the EEA?

Yes. Transfers of personal data from the EEA to the UK may take place without additional safeguards since the European Commission considered on 28 June 2021 that the UK offers an adequate level of protection for personal data. The UK is an “adequate” country for EU GDPR purposes.

We are located in the UK. What rules apply if I transfer personal data made from the United Kingdom (“UK”) to Text?

Under UK GDPR, personal data can be transferred from the UK by using tools or mechanisms akin to those under the GDPR.

After 21 September 2022, all personal data transfers from the United Kingdom (“UK”) to us (a non-EU/EEA third country) are legitimized by using the EU SCCs, subject to the UK Addendum (an international data transfer addendum to the EU SCCs). It means that when making international transfers from the UK to us,  we rely on the UK Addendum and the new EU SCCs offering sufficient safeguards on personal data protection to be transferred internationally from the UK to the US.  

After the EU-US Data Protection Framework (DPF) got the thumbs up from the European Commission, the UK is now ready to follow in these footsteps. On 8 June 2023, the UK and the US issued a joint Statement confirming commitment in principle to establishing a “data bridge” to allow for the free flow of data between organizations in the UK and participating organizations in the US. This data bridge was implemented through the Data Protection (Adequacy) (United States of America) Regulations 2023, which came into force on 12 October 2023, and acts as an extension of the EU-US DPF specifically tailored for the UK, facilitating seamless data transfers. In line with the UK Extension to the EU-US DPF, text| has successfully self-certified our commitment to its stipulations. This enables us to reliably receive personal data transfers from the United Kingdom (including Gibraltar).

Should I sign a new DPA with text| if my company started using text| services before 27 September, 2022? 

No. We are aware that DPA with us under the old EU SCCs entered into on or before 21 September 2022 with text| will continue to be compliant until 21 March 2024. However, as of September 21, 2022, our existing DPA has been automatically replaced by us with a new valid transfer mechanism that is the UK Addendum alongside the new EU SCCs there is no need to sign a new DPA with text|. It applies to all our UK customers regardless of whether you started using our services before or after September 21, 2022.

Please note that this information is provided for general understanding and informational purposes only. For specific legal matters and compliance, it is advisable to seek professional legal counsel.