Transfer Risk and Impact Statement
Great Place to Work
Overview
The privacy landscape is dynamic. GPTW has adopted privacy principles from the European Union’s General Data Protection Regulation (“GDPR”) as the foundation for our privacy program. These principles provide a consistent baseline for privacy in the development and operations of GPTW’s products and services and allow us to adapt to changes in the privacy landscape as they occur.
In response to Schrems II and Recommendations 2020/1 and 2020/2, GPTW relies on Module 2 and Module 3 of the standard contractual clauses (SCCs) adopted on June 4, 2021, and the UK International Data Transfer Agreement adopted on March 21st, 2022 (UK IDTA) as the mechanism that enables cross-border transfers of personal data between the EEA/UK and jurisdictions that are neither European Economic Area (EEA) members nor deemed adequate by the EU in accordance with Article 5 of the GDPR. GPTW has incorporated those SCCs and the UK IDTA into its Data Protection Addendum (DPA).
When we process our customers’ personal data, GPTW is a data processor. GPTW might use other processors (i.e., subprocessors) in order to provide the personal data processing requested by our customer as is more specifically set forth in our customer agreements. GPTW also has agreements in place with its subprocessors, which include written assurances designed to ensure the consistent and appropriate processing and safeguarding of personal data.
GPTW believes that a customer should control the information that they collect, create, communicate, and store about their workforce. GPTW does not give anyone access to a customer’s information unless the customer instructs us to do so, provides consent, or we are legally obligated to do so. GPTW does not support “back door” direct access to its operations (including our data stores) by any government. GPTW does not share its encryption keys or provide the ability to break its encryption keys to any government.
As a processor, GPTW encrypts personal data when it is stored and while it is transmitted. GPTW limits access to and encrypts its encryption keys. GPTW does not support a “bring your own keys” option for its customers as data is stored at the database level, and not on the file level. GPTW maintains its privacy and security programs in a manner that complies with its customer agreements. This includes our DPA and security addendum, which describe our programs and practices with respect to privacy and data security.
Outcome Statement
Based on the information in this Statement, GPTW has determined that it can proceed with the transfer of EEA/UK personal data to countries outside of the EEA (commonly referred to as third countries). GPTW’s transfers of EEA/UK personal data to third countries are subject to the SCCs and the UK IDTA, which impose obligations intended to ensure EEA/UK personal data transferred to third countries is afforded a level of protection that is essentially equivalent to that guaranteed by the data protection laws of the EEA and/or the United Kingdom. Furthermore, GPTW has no reason to believe that any laws that exist in the third countries to which it transfers personal data will be interpreted and/or applied in practice to cover GPTW’s transfer of EEA personal data to these third countries.
Disclaimer:
This document is our informed interpretation of the EU General Data Protection Regulation. It is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy and security professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this document. Furthermore, the information provided herein is subject to change without notice.
Great Place To Work | |
|---|---|
Where is the importer located? | USA |
Will the importer be forwarding thedata to anotherorganization? | Yes |
| If yes, what kind of organization is it, and where is it located? | GPTW subprocessors & affiliates |
Why are you making the transfer? | Cross-border transfer is necessary for customer support. |
What will the importer (and any other party to whom it forwards the data) be doing with the personal data? | Recipient will engage in personal data processing (storage, access, manipulation, and retention) to provide troubleshooting assistance to the customer. |
What security certifications does GPTW maintain? | GPTW maintains a SOC2 report. |
Who is the data about? | Employees, contractors, consultants |
What type(s) of data are you transferring? | The product processes personal data related to employee engagement surveys. |
How is the data sent? | Data is accessed remotely and GPTW employees utilize VPN and TLS encryption |
For how long can the importer (and other recipients) access the data? | GPTW and its subprocessors only engage in personal data processing as instructed and as described in its agreement with its customer, to comply with applicable laws, or for other legitimate interests. |
How often will these transfers occur? | Transfers will occur per the agreed-upon delivery of services detailed within the contractual commitment GPTW has with the customer or upon customer instruction. |
Country-Specific Information
USA
USA | |
|---|---|
Are the contractual safeguards likely to be enforceable in the destination country? | Yes. The U.S. recognizes the rule of law, as there is an established and respected legal and court system. Foreign judgments or arbitration awards can be enforced. Under U.S. law, an individual seeking to enforce a foreign judgment, decree, or order in the U.S. must file suit before a competent court. The court will determine whether to recognize and enforce the foreign judgment. The U.S. has been a member of the Hague Conference on Private International Law since October 15, 1964, and is now a contracting state to six conventions of the Hague Conference, including the Choice of Court Convention. There is ready access to justice through the court system, which provides means for redress and effective remedies. The rights of third-party beneficiaries under contracts are recognized and enforced. There are high levels of integrity and independence in the judicial process. The UK is currently evaluating the possibility of finding adequacy for the U.S. with respect to privacy regulations. |
Are there laws that set out when and how the law can require access to data be given to third parties, including public authorities? | Yes. Public authorities or third parties cannot access data from private companies, including to intercept communications, without meaningful safeguards (for example, court order or warrant). Organizations can undertake workplace monitoring, but there are significant safeguards. |
Are there limitations on how third parties, including public authorities, can use the data they access? | Yes. Public and private authorities may only use the data they access or receive from third parties for justified and limited purposes – for example, in the case of public authorities, for law enforcement, protection of public health, and safeguarding national security. |
Do individuals have effective and enforceable rights and remedies in relation to the safeguards for third-party access? | Yes. There are clear and enforceable rights in place to allow individuals access to their personal data, and individuals may readily seek judicial challenge of private and public authorities accessing their data, including by using surveillance measures. |
Is there effective oversight? | Yes. Police and intelligence agencies operate with clear judicial or other effective administrative oversight of their activities. |
Does the destination country have mature data protection and/or privacy laws in place? | In the U.S. the Constitution does not expressly address individual privacy. The U.S. Supreme Court has inferred a right to privacy in its decisions citing to language in the First, Third, Fourth, Fifth, and Ninth amendments. Instead of omnibus federal privacy legislation, the U.S. has a patchwork of sector-specific privacy legislation and regulations that restrict the processing of personal data. These laws address information concerning an individual’s taxes (IRS rules), consumer credit (FCRA), financial accounts (GLBA), education records (FERPA), health information (HIPAA), and the like. The U.S. Federal Trade Commission (FTC) has performed privacy and security enforcement for nearly 50 years, for the FCRA and more recently for the Safe Harbor and Privacy Shield programs. The FTC also takes action for unfair or deceptive trade practices against entities when personal data processing is inconsistent with its privacy notice. Additionally, each of the U.S. states and protectorates has authority to enact its own legislation and regulations for privacy and data protection. While many state laws focus on protection for consumers, the effect of these laws can be quite broad, such as the application of California’s CCPA and CPRA legislation to personal data collected in the employment context. The patchwork of federal and state laws, when combined with inferred constitutional protections, provides a framework for the protection of personal data. |
Is there a legal framework governing the use of biometrics or facial recognition? | In the U.S., biometric and facial recognition are not addressed at the national level. Not all states have laws addressing these matters, and among those that do, there are inconsistencies. |
What other factors should be considered? | There is a history of respect for human rights (in particular, the rights to privacy, freedom of expression, and access to justice). FISA Section 702 cannot be used to investigate ordinary crimes. Instead, the surveillance under FISA Section 702 is largely restricted to specific areas of national defense, national security, and the conduct of foreign affairs, with an emphasis on international terrorism, sabotage, the proliferation of weapons of mass destruction, and other grave hostile acts. As a result, FISA Section 702 is limited in scope. First, “foreign intelligence information” must have some nexus to a “foreign power or foreign territory.” This means that most private business or customer records likely will not constitute “foreign intelligence information.” Second, in examining what organizations may be affected by FISA Section 702, the term “foreign power” as defined by the statute primarily incorporates foreign terrorist organizations, foreign governments, and instrumentalities of both. This means that most private businesses likely will not be considered a “foreign power.” Executive Order 12333 likely has limited to no relevance to transfers of EEA Personal Data to the United States as it generally applies to surveillance activities that are conducted wholly outside of the United States. Additionally, GPTW has assessed that it is not an “electronic communications service provider” under FISA 702 or Executive Order 12333 and therefor is not subject to access requests. The Cloud Act allows US government access to data in criminal investigations and where there is a threat to the public order, subject to a warrant. GPTW does not voluntarily hand over personal information from its customers. Apart from this, GPTW has not built in any backdoors that would allow government authorities to circumvent its security measures to access service data. All of this should therefore mean that GPTW has implemented additional measures that adequately address any risk of essential equivalence created by third country regulations. |
Updated September 29, 2023