Disclaimer: I think we all know that I am not a lawyer (although I once dreamed!). The purpose of this post is to provide guidance on the use of the SCCs for Docebo customers. The information in this document is for general informational purposes only and does not constitute legal advice.
Now that we got that out of the way, on July 20th, 2022 we sent out an email asking you to sign an update to our DPA. We got a lot of questions and I am here armed with a lot of answers.
Q: This is a long post, should I really read this? Does this apply to me?
A: Privacy matters to everyone; today more than ever before! This post is to bring some light to the what and why of the email sent out titled: Docebo Amendment to Customer DPA to incorporate new SCCs.
BUT, if you joined the Docebo family after September 2021, there is no action required on your part. When you joined, Docebo had already updated our DPA to align with all requirements. However, it is a good read on privacy, so grab a coffee and we can all learn together.
If you signed the DPA that was attached to the above mentioned email, you are home free as well, this will just help with some of the whys, so why not keep reading.
Q: What is a DPA?
A: Maybe we should have started with this. A DPA (Data Processing Agreement), is an agreement between a data controller (in this case your organization) and a data processor (Docebo). It regulates any personal data processing conducted for business purposes.
Q: Why are we being asked to sign an update to the DPA?
A: Last June, the European Commission created a new set of standards around the transferring of personal information outside of the EU by creating Standard Contractual Clauses (‘SCC’). The SCCs are standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law.
In these new clauses, a stronger protection for personal data is introduced, with new obligations on parties to assess the legality of the intended transfer and increased transparency towards customers and individuals. These standard clauses are part of the new DPA.
Want the legal jargon and links to more? We got you 🥸
On 4 June 2021, the European Commission adopted a new set of standard contractual clauses (‘SCC’) for the transfer of personal data to countries outside of the European Area to replace the old model agreements from 2010 (adopted before GDPR entered into force).
The SCC are standardized and pre-approved model data protection clauses that allow controllers and processors to comply with their obligations under EU data protection law. The new SCCs have a modular approach and cover more situations than the old model clauses. Stronger protection for personal data is introduced, new obligations on the parties to assess the legality of the intended transfer and increased transparency towards customers and individuals.
Q: Hang on a second, we are based in UK only, this is not relevant to us.
A: Don’t worry, we have not forgotten about our beloved UK customers. Our DPA update keeps into account UK GDPR requirements too and includes appropriate UK transfer mechanisms. Told you we have been busy!
Want to go dive in again? Legal mode turned ON
On March 2022, the Information Commissioner’s Office (ICO) released two new transfer tools for compliance with UK GDPR when making data transfers from the UK to non-adequate countries: (i) The UK’s new International Data Transfer Agreement (“IDTA”), and new International Data Transfer Addendum (“the UK Addendum”).
You can find more information here.
Docebo have incorporated the UK Addendum to EU SCCs to ensure adequate safeguards for UK transfers.
Q: Does this apply if I am outside of Europe/UK?
A: While this was initiated as a result of the European Commission adopting a new set of standard contractual clauses, the commitments in the DPA are general privacy-related commitments that are for the good of all organizations and are not specific to European laws only. Let’s just say - safety first when it comes to privacy.
Note: Under the GDPR and the UK GDPR, the new SCCs will, in some scenarios, be the only reasonable method to legally and adequately transfer personal data from the EU/UK to a 'non-adequate' third country.
Non-adequate sounds a little scary, want to know more?
From our friends at Deloitte:
Adequate and “non-adequate” countries
The GDPR essentially distinguishes between countries outside the European Economic Area (EEA) that are considered to ensure an adequate level of protection for personal data and “non-adequate” countries. A transfer to an “adequate” country is the simplest way to transfer personal data outside the EEA; these transfers are permitted and legal under the GDPR. A transfer to an adequate country does not require prior approval from a supervisory authority and organisations need not take any further action.
What’s the catch though? Only the European Commission can decide on adequacy, this is not a self-assessment. The full list of adequate countries can be found on the Commission’s website.
“Non-adequate” country? Appropriate safeguards!
In the absence of a Commission adequacy decision, international data transfers may only take place where organisations have taken appropriate safeguards for the protection of personal data. This is to ensure that the level of protection offered by the GDPR is not undermined. The GDPR lists a number of possible safeguards that can be taken.
…these standard clauses are one of those safeguards!
Q: The email referenced versions…How do we know if we have version 7.7 or version 7.8 of Docebo’s DPA?
A: If you signed with Docebo for the first time prior to September 2021, chances are you have an older version (i.e. 7.7 or earlier). If you want to avoid signing the updated version, you can find your version in the footer of each DPA page. Note: There is no harm in signing the update version just to be sure - see more on that below.
It looks like this:
In the event that your DPA does not have this information, it might be possible that we have agreed upon a custom DPA with you, so please contact us at email@example.com to understand whether your DPA is already compliant.
Q: Will our services stop or will there be any impact on our users if we do not sign the Amendment?
A: Short answer - no. This Amendment does not have a direct impact on the provision of our services to you, nor to your users. This simply ensures your compliance with the updated EU/UK data protection laws.
Q: How does this affect us, as a customer?
A: This ensures that you are compliant with the 2021 updates to the EU/UK data protection laws. There are no changes in your services.
Q: Our legal team loves redline - can we?
A: Don’t they all! 😀 If your legal team has any questions, please contact the Docebo legal team at firstname.lastname@example.org. They are happy to answer!
Q: Technical issue - We are not able to sign or complete the required fields, why?
A: In case of technical issues, we suggest you download the PDF, upload it into Docusign or any other platform you use to sign documents, sign it and send it back to email@example.com and firstname.lastname@example.org.
If you are experiencing further technical issues, please contact us at email@example.com.
Q: Our data is stored in Europe, do we need to sign it?
A: If you are based in Europe, we do not specifically need to have SCC in place between you and Docebo. However, the Amendment states that if we use service providers outside the EU/UK, we will incorporate the new SCC. In other words, the amendment only adds a further layer of safeguards for you as a data controller.
Q: Does this Amendment apply outside of Europe?
A: (I asked this one too!) It does! The GDPR and UK GDPR apply to organizations that offer goods or services, and those that monitor behavior (like tracking cookies and IP addresses) that are based in and outside of Europe.
With such a globalized world, large amounts of personal data are transferred across borders every day, and are sometimes stored on servers in different countries. The protection under these laws protects that personal data wherever it may travel.
Q: When do we need to sign this Amendment?
A: Per the European Commission guidelines, businesses must amend all the old DPAs that use the old SCCs to the new SCCs by December 27, 2022.
Q: Who needs to sign?
A: The signing authority of your organization is the appropriate person to sign. If you are not sure, please check with your legal team!