The simple answer to this question is there is no operational impact for our Customers.
On the 16th of July 2020, it was announced by the Court of Justice of the European Union (CJEU) that the EU-US Privacy Shield was invalid. This was the result of what has become known as the “Schrems II” case. The result of the EU-US Privacy Shield invalidation is no longer a legitimate data transfer mechanism to be used by companies for the transfer of personal data from the European Economic Area to the United States.
OneLogin’s commitment to protecting our data including our customer data is part of our comprehensive and global Trust and Security framework and, therefore, not limited to geographical borders and/or regions within.
Data Management is core to our OneLogin Trust and Security framework. The framework is built from a full range of factors that inform the security approach. The framework commences from the broadest external factors of government laws and regulations, then we layer our global and regional compliance requirements on top and demonstrate our industry best practice via our certifications and/or accreditations of best practice assurance. Finally, we attest to this via our contractual clause agreement and associated agreement structures. OneLogin then takes all these externally focused factors to translate them into our internal policies, standards and procedures that make up how we at OneLogin operate and manage our systems and the data stored within them, including customer data.
The EU-US Privacy Shield was just one of our contractual clause agreement structures part of our OneLogin Trust and Security framework available to use. We used it as part of our customer contractual clause commitments to provide Customers with trust and security assurance on how we at OneLogin managed their data processed, stored and managed their data in our Trusted Experience Platform service offering. We have over the years and continue to support the utilization of Standard Contractual Clauses commonly referred to as “SCC” that provide our Customers with the same Trust and Security assurance on how we at OneLogin operate.
Operating best practice to data management will always remain core to our OneLogin Trust and Security framework. OneLogin will continue to develop and deliver global industry best practice for data management. We will continue to provide this contractual commitment via our customer contracts using the SCC framework. We will continue to evidence our Trust and Security assurance via our global industry best practice certifications and accreditations for Security and Privacy namely ISO 27001, 27017 and 27018.
As leaders in the field of Trust and Security, OneLogin will continue to evolve and offer new data transfer mechanisms to our customers as they become available.
We understand you may have additional questions and queries for us in relation to this ruling decision. To support providing Trust and Security Assurance we have documented some frequently asked privacy questions associated with this ruling.
Question - Why does OneLogin process Customer PII?
OneLogin only stores and processes PII data for the purpose of providing authentication and authorization services to our customers via our Trusted Experience Platform.
Question - What does EU-US Privacy Shield invalidity mean for OneLogin Customers?
Our EU/EEA region Customers can continue to use OneLogin’s Trusted Experience Platform. OneLogin continues to deliver to its legal, regulatory, compliance requirements for processing and storing personal identifiable data within our Trusted Experience platform service. OneLogin European Commission’s Standard Contractual Clauses (SCC) in short remain a valid and lawful data transfer mechanism.
Question - Is it possible to have an alternative contractual framework for transferring data to SCC data transfer mechanism?
As Trust and Security Leaders we are constantly evaluating new data transfer mechanisms as well as global best practice accreditations as they become available. We are monitoring closely the developments in this ruling and participating in forums sharing our expertise and input as privacy thought leaders.. We are confident that the EU and US will work together to put in a new updated data transfer framework that will address shortcomings of Privacy Shield.
We continue to provide our Customers, Partners, Suppliers and Prospects with Trust and Security Assurance via the program we operate. For further information, please visit OneLogin Trust. Alternatively, you can reach out to us via your Customer Account Management or directly at privacy@OneLogin.com