Legal
New Standard Contractual Clauses
Airship is committed to upholding global data privacy and security standards, including those set forth by the European Commission (“Commission”) in the updated Standard Contractual Clauses (“SCCs”) issued in June 2021.
The modernized SCCs were developed in response to the European Union Court of Justice (“ECJ”) opinion in the Schrems II case. In Schrems II the ECJ established that organizations must conduct a case-by-case determination of whether foreign legal protections concerning government access to personal data meet EU standards.
The modernized SCCs provide helpful guidance for data controllers (data exporters) and data processors (data importers) when considering whether additional safeguards are needed to ensure appropriate data protection standards when personal data is transferred from the EU to third countries, including the US.
Airship’s Has Implemented the New SCCs
Airship has implemented the modernized SCC framework in its contracting processes with new customers effective as of September 27, 2021. All new Airship customers enter into a Data Protection Agreement with Airship incorporating the modernized SCCS. All existing Airship customers with DPAs entered into prior to the December 27, 2022 deadline implemented by the Commission to transition to the modernized SCCs benefit from the New SCCs DPA Amendment incorporated effective as of December 27, 2022 and available here. More information is available here at the New SCCs DPA Amendment page here.
Airship’s Technical, Operational and Policy Safeguards Respond to the New SCC Requirements
The modernized SCCs can be used to facilitate lawful transfers of data if certain conditions are met. The modernized SCCs have also introduced a risk-based format and additional framework that data exporters can use in assessing the adequacy of a data importer’s data protection measures. In particular, SCC Annex II provides a list of technical and organizational measures that provide adequate protection for personal data transfers to third countries. Our Security Measures align with these Annex II supplementary measures. Together with our focus on Privacy by Design and contractual commitments, Airship’s policies and measures help global organizations meet the requirements of data privacy and protection regulations.
The following sections provide an overview of the measures, policies and procedures that align with the requirements set forth in the SCCs. For more details on any of these measures or policies, please contact the Airship Legal team at airshiplegal@airship.com.
Technical and Operational Safeguards:
- Our key technical and organizational measures are based on OWASP Top 10 best practices and include: Privacy by Design principles for the product development cycle
- Pseudonymization measures
- Encryption of data at rest and in transit
- Data Retention Policy focused on limited data retention
- Data minimization
- Data deletion functionalities directly available via API
- Data subject requests management functionalities available via API
- Testing and patch management standards and procedures
- Personnel security and confidentiality policies and procedures
- Business continuity planning including data restoration methods
- Access controls
- Regular independent verification and certification of security controls
Appropriate Legal Protections:
As part of this risk-based approach, the Implementing Decision issued by the Commission on 4 June 2021 provides a helpful framework for the overall assessment of whether additional measures are needed. When making the assessment, the parties are encouraged to consider factors such as:
- Reliable information on the application of the law in practice;
- The existence or absence of requests in the same sector; and
- The documented practical experience of the data exporter and/or data importer.
While not exempt from US laws permitting public authority surveillance, the nature of Airship’s business means that we are not a likely target for US surveillance matters. In fact, the United States Department of Commerce has issued an official statement affirming that “most US companies do not deal in data that is of any interest to US intelligence agencies” and that the kinds of data transfers undertaken by most US companies do not present the type of privacy risk that concerned the ECJ in Schrems II. The Department’s statement further clarifies that businesses whose operations involve “ordinary commercial products and services” with the transfer of personal data involving “ordinary commercial information like employee, customer or sales records” would have no basis to believe that US intelligence agencies would seek to collect such data.
In company history, Airship has never been the subject of a public authority data request in the US or elsewhere. If Airship were to receive such a request concerning the data of EU citizens, we would honor our obligations in compliance with Section III (“Local Laws and Obligations in Case of Access by Public Authorities”), Clause 14 (“Local laws and practices affecting compliance with the Clauses”) and Clause 15 (“Obligations of the data importer in case of access by public authorities”) as well as Section IV (“Final Provisions”), Clause 16 (“Non-compliance with the Clauses and termination”) of the SCCs.
For more details, please review our “Response to Public Authority Requests for Personal Data” policy.
Airship Adheres to the EU-US Data Privacy Framework (“EU-U.S. DPF”) Principles.
In addition to the modernized SCCs, Airship participates in and certifies compliance with the Data Privacy Framework Principles. With the Data Privacy Framework, Europe introduced the adequacy framework for US companies that self-certify under the DPF. An essential element of the adequacy decision was the updated US legal framework, e.g. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which was signed by President Biden on 7 October and is accompanied by regulations adopted by the Attorney General. These instruments were adopted to address the issues raised by the Court of Justice in its Schrems II judgment.
For Europeans whose personal data is transferred to the US, the Executive Order provides for:
- Binding safeguards that limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security;
- Enhanced oversight of activities by US intelligence services to ensure compliance with limitations on surveillance activities; and
- The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to their data by US national security authorities.
More information is available in our Privacy Statement under the Section EU-US Data Privacy Framework (“EU-U.S. DPF”) and Swiss-US Data Privacy Framework (“Swiss-U.S. DPF”).
Additional Steps Airship Will Take
In addition to the technical, operational and policy safeguards listed above, Airship will also:
- Evaluate and where necessary complete Transfer Impact Assessments for all Subprocessors involved in processing activities; and
- Ensure relevant subprocessor agreements comply with the updated standards required for data transfers in accordance with GDPR and other applicable privacy laws.
Updated: October 12, 2023