Data Transfer Impact Assessment

Effective February 1, 2025

Introduction

This Data Transfer Impact Assessment (“DTIA”) assists Automox customers with conducting risk assessments for the transfer and processing of personal data in connection with their use of the Automox platform in light of the “Schrems II” ruling of the Court of Justice for the European Union and the subsequent recommendations from the European Data Protection Board. The DTIA supplements the information necessary for compliance with data transfer provisions under the Data Protection Law and Regulations as defined in the Automox Data Processing Addendum (“DPA”).

The Automox DTIA addresses direct and onward data transfers in connection with Automox's provision of Automox platform. The processing activities (including transfers) are outlined in the DPA.

Automox processes personal data in several jurisdictions, which may include transferring personal data out of the European Economic Area, the UK, and Switzerland (together, “Europe”) to both, countries holding adequacy status under the Data Protection Laws and Regulations and third countries.

Automox participates in and certifies compliance with the Data Privacy Framework (“DPF”), including the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. The EU Commission confirmed in its FAQs that all safeguards that have been put in place by the U.S. Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the U.S. regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as the Standard Contractual Clauses (the SCCs).

The Automox DPA incorporates the SCCs as our data transfer mechanism where data is transferred outside of the European Economic Area, the UK or Switzerland to countries that do not ensure an adequate level of protection under Data Protection Laws and Regulations as follows:

  • Where personal data protected by the GDPR is transferred to Automox outside of Europe, Automox relies upon the EU SCCs to provide an appropriate safeguard for the transfer. Under the EU SCCs, our customers are acting as the “Data Exporter” and Automox is the “Data Importer”.

  • Where personal data protected by the UK Data Protection Law is transferred to Automox outside of the UK, Automox relies on the UK Addendum in our DPA in accordance with the ICO guidance from 2022.

  • Where personal data that is protected by the Swiss Federal Act on Data Protection is transferred to Automox outside of Switzerland, Automox relies upon the EU SCCs plus certain interpretative provisions to make the EU SCCs work for Switzerland's legal regime.

Scope of the Data Transfer Impact Assessment

Our analysis of transfers to third countries is described below.

United States

Purpose for transfer and any further processing

Direct transfers Automox has offices in the United States where our employees may access personal data for the purposes of the provision of the Automox platform.
Onward transfers: Automox transfers personal data to its sub-processors for the purposes of assisting in the provision of the platform as further outlined in our sub-processor page.

The frequency of the transfer


Direct transfers: Continuous.
Onward transfers: Continuous.

Categories of personal data transferred

Direct transfers: As detailed in the DPA.
Onward transfers: Please refer to our sub-processor page for more information.

Sensitive data transferred (if applicable)

Direct transfers: Not Applicable.
Onward transfers: Not Applicable.

Length of processing chain

Onward transfers: Please refer to our sub-processor page for more information.

Applicable transfer mechanism

Direct transfers: Automox's DPF certification, or the Standard Contractual Clauses, for the contractual relationship between Automox and its customers.
Onward transfers: Standard Contractual Clauses between Automox and its sub-processors. Automox imposes obligations on its sub-processors to implement appropriate technical and organizational measures ensuring that the sub-processing of personal data is protected to the standards required by applicable data protection laws.

Identifying laws and practices relevant in light of all circumstances of the transfer

The following U.S. laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the U.S.:

  • FISA Section 702 (“FISA 702”) - allows U.S. government authorities to compel disclosure of information about non-U.S. persons located outside the U.S. for the purposes of foreign intelligence information gathering.

  • Executive Order 12333 (“EO 12333”) - authorizes intelligence agencies (like the U.S. National Security Agency) to conduct surveillance outside of the U.S.. In particular, it provides authority for U.S. intelligence agencies to collect foreign “signals intelligence” information, meaning information collected from communications and other data passed or accessible by radio, wire, and other electromagnetic means.

Further information about these U.S. surveillance laws can be found in the U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after SchremsII whitepaper from September 2020.

The Clarifying Lawful Overseas Use of Data (CLOUD) Act governs how U.S. law enforcement agencies may obtain information held by certain technology companies. For more information about the CLOUD Act, please refer to What is the CLOUD Act? by BSA Software Alliance.

With the DPF, Europe introduced the adequacy framework for U.S. companies that self-certify under the DPF. An essential element of the adequacy decision was the updated U.S. legal framework, e.g. Executive Order on “Enhancing Safeguards for United States Signals Intelligence Activities”, which was signed by President Biden on 7 October 2022, and is accompanied by regulations adopted by the Attorney General. These instruments were adopted to address the issues raised by the EU Court of Justice in its Schrems II judgment.

For Europeans whose personal data is transferred to the U.S., the Executive Order provides for:

  • Binding safeguards that limit access to data by U.S. intelligence authorities to what is necessary and proportionate to protect national security;

  • Enhanced oversight of activities by U.S. intelligence services to ensure compliance with limitations on surveillance activities; and

  • The establishment of an independent and impartial redress mechanism, which includes a new Data Protection Review Court to investigate and resolve complaints regarding access to Europeans' data by U.S. national security authorities.

Automox participates in and certifies compliance with the Data Privacy Framework. We are now able to rely on the adequacy decision to receive European personal data. You can find more information in our DPA.

Supplemental Measures

To protect personal data in accordance with Data Protection Laws and Regulations, Automox implements the supplemental technical, contractual, and organizational measures set forth in Exhibit B of the DPA.

Re-evaluating at appropriate intervals

Automox will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Automox product offerings, services, and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Automox and its affiliates, suppliers, or licensors. The responsibilities and liabilities of Automox to its customers are controlled by Automox agreements, and this document is not part of, nor does it modify, any agreement between Automox and its customers.