Data Transfer Impact Assessment

Data Transfer Impact Assessment for United States

In light of the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board, Accept Mission conducts impact assessments for data transfers that are part of the Accept Mission Service.

This Data Transfer Impact Assessment (“DTIA”) identifies and describes the risk as well as safeguards Accept Mission has put in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”) to the United States and Accept Mission’s ability to comply with its obligations as “data exporter”.

In its Schrems II decision the Court of Justice of the EU clarified that the use of standard contractual clauses (“SCC”) requires data controllers to conduct a case-by-case assessment of the level of data protection that SCCs can provide, taking into account the nature of the personal data transfers and the country of destination.

Please see the Accept Mission Data Protection Addendum (“DPA”) for a description of the nature of the processing of data. Accept Mission has put in place supplemental measures to protect personal data for transfers to third parties in the United States. To see where we transfer data to our vendors outside the server location, see our list of sub-processors.

Assessment of the country of destination

The following US laws relevant to EU-U.S. data transfer were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

  • FISA 702
  • Executive Order 12333
  • Cloud Act

As the United States does not afford personal data a level of protection that is essentially equivalent to those that the GDPR provides additional technical, organizational, or contractual measures are needed.

Purpose for transfer and any further processing:

Accept Mission uses several sub-processors who store data in the United States and whose employees may access personal data in the United States. Please see our list of sub-processors for specific information and data flows.

Frequency

Accept Mission transfers data on a continuous basis, as the Service is used.

Categories of Personal Data

  • End-user Email Addresses
  • End-user Names
  • End-user IP
  • Customer Credit Card Details
  • Customer Contact IP
  • Customer Address
  • Customer Credit Card Details
  • Customer Contact Name
  • Customer Contact Email

Please see our list of sub-processors for specific information about the processor of the categories of personal data sent to the United States.

Sensitive Data

We do not intentionally transfer any sensitive data to the United States.

Law Enforcement Requests

Each Accept Mission sub-processor has a law enforcement request policy in place and will notify Accept Mission, where permitted by law, before disclosing information in response to a request.

Processing Chain Length

Data is transferred externally to our sub-processors.

Applicable Transfer Mechanism

Where customer personal data originating from Europe is transferred by Accept Mission to third-party sub-processors in the United States, Accept Mission has entered DPAs with SCCs with those parties.

Supplemental Vendor Measures

Each Accept Mission sub-processor has agreed to contractual measures that are at least as restrictive as those Accept Mission has agreed to with Customers. Please see our list of sub-processors for specific information on certifications and compliance, technical and organizational security measures of the individual sub-processor.

Additional Measures

Applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved:

  • Each Accept Mission sub-processor processing personal data in the United States has a law enforcement request policy in place and will notify Accept Mission, where permitted by law, before disclosing information in response to a request.
  • Each Accept Mission sub-processor processing personal data in the United States is certified to comply with standards equal to or higher than those of Accept Mission, for example SOC2 Type 2.
  • Each Accept Mission sub-processor processing personal data in the United States has a limited retention period for this data.
  • The categories of personal data are separated and not all available to the same sub-processor. Some are processing end-user email addresses but not IP addresses. A second is processing IP addresses. A third is processing Customer Credit card details.
  • Where possible, data is encrypted, and anonymized and retention periods are minimized.
  • Accept Mission provides data protection training to all Accept Mission staff.

Please see our list of sub-processors for specific information about the vendor measures and additional measures for data sent to the United States.

While laws like “FISA 702” can be used to obtain information from non-US citizens, the personal data sent to the United States is minimal and not tied to further data points. A name might be identified with an email address but not an IP address and not with any behavioral information or content.

Accept Mission (as “data exporter”) considers the risks for individuals’ rights in transferring and processing the limited set of categories of European personal data in/to the United States as low.

With the nature of transfer of personal data outlined in this document Accept Mission and the additional measures taken by Accept Mission and the third-party vendors Accept Mission does not see the need for additional supplementary measures at this time.

Re-evaluation

Accept Mission will review and, if necessary, reconsider the risks associated with its sub-processors as well as the measures implemented by itself and by third parties at regular intervals, at least annually.