Our aim is to be as transparent as possible when it comes to data protection and our role as a data processor for your Engaging Networks accounts. With this in mind, we have developed the following*:
- Data Processing Agreement (DPA) – last updated November 2022. Available to download here
- International Data Transfer Agreement (IDTA) between Engaging Networks and Engaging Networks USA – last updated October 2022. Available to download here
- A signed ‘Linked Agreement’ between the two parties as per the terms of the IDTA – last updated October 2022, available on request
- Transfer Impact Assessment – (version 1) – last updated July 2022, available on request
UK/EU GDPR and international transfers
Under either UK or EU GDPR, a specific mechanism is necessary to transfer outside of the respective jurisdictions. This requires that appropriate safeguards need to be in place to safeguard the rights of data subjects, should personal data be transferred outside of the EU or UK respectively.
As per the guidance from the Information Commissioners’ Office (ICO) in the UK, Engaging Networks can use the IDTA as a transfer tool to comply with Article 46 of the UK GDPR when making restricted transfers. The IDTA replaces standard contractual clauses for international transfers. They take into account the binding judgement of the European Court of Justice, in the case commonly referred to as “Schrems II”. [further reading]
Engaging Networks is a data processor, and in the course of providing our services to clients uses Engaging Networks USA for the purposes of providing a number of functions.
- Maintenance/technical support (generally out of hours to UK / EU clients)
- Security/incident response
This means that personal data which falls under either EU GDPR or UK GDPR may be subject to a cross border transfer of personal data, in relation to the conditions above. When the cross-border transfer of data does occur, the personal data may be accessed from the USA but remains on our servers in Canada – and Canada has an adequacy decision with the UK / EU which recognises that they provide an equivalent level of protection for personal data as the EU / UK does.
Summary of transfers
|Jurisdictions||Nature of Transfer||Transfer mechanism|
|From EU to UK||EU personal data to EN offices in UK||Adequacy decision UK/EU|
|From UK / EU to Canada||EN servers are in Canada||Adequacy decision UK/EU|
|From UK to USA||EN USA providing tech Support (as above)||IDTA|
For the purposes of using the Engaging Networks service for UK / EU clients, Engaging Networks USA provides limited maintenance/technical support (e.g. out of hours support) or, if required, escalation to the operations or security teams. The role is limited and specific. Engaging Networks UK does have support staff cover within the UK and EU for all other services. Importantly, if a client so-wishes they can opt out of having the ‘out-of-hours’ support service offer, meaning USA support staff access can be blocked (via our ‘secure console’).
Further details regarding access can be found in the ‘Security Requirements’ and ‘Extra Protection Clauses’ sections of the IDTA signed between Engaging Networks and Engaging Networks USA.