We recently updated our Terms of Service (Terms) and Data Processing Agreement (DPA). This post highlights the main changes that we’d like to bring to your attention. The new terms will go into effect on December 31, 2021 for existing customers and immediately for new customers.
New Rulings to Secure Private Data
The value of personal data is growing every day. In many cases, this data is making our lives easier and businesses more profitable, but with so much value being extracted from this new resource, constant security assessments are paramount.
In a recent court case, Schrems II, the privacy of international data transfers was brought into question. Due to the new rulings of this case, iconik has updated its Data Processing Agreement.
Background of Schrems II
Maximilian Schrems, an Austrian lawyer and activist, called on the Irish Data Protection Commissioner to invalidate the consent form and the Standard Contractual Clauses (SCCs) for Facebook to use data transferred to the US. He argued that personal data, both in transit to and when stored in the US, could be accessed by US intelligence agencies. Schrems believed this would be in violation of the GDPR and EU law.
On 16 July 2020, the European Court of Justice (CJEU) issued the Schrems II judgement with major implications for the use of US cloud services. Customers of US cloud service providers must take on the responsibility themselves to verify the data protection laws of the recipient country and document its risk assessment and consult with their own customers. The judgement also stated that SCCs were still valid as a transfer mechanism in principle but that they needed more attention to better support efficient practices. To study the case in its entirety, see the ECJ’s full judgement in Case C-311/18. On June 4, 2021 the European Commission issued an updated set of SCCs and on June 21, 2021 the European Data Protection Board issued a set of Recommendations on supplementary measures detailing how data processors like iconik can implement secure transfers of personal data to non EU/EES countries.
This leads us to the updates.
iconik is GDPR Compliant
Iconik can confirm that all cross-border data transfers that we are responsible for comply with the GDPR and this recent CJEU judgement in Schrems II. The addition of the new SCCs makes up the majority of the changes to our terms. The terms now clearly state that we provide a written agreement on our processing of personal data on behalf of the controller and that we honor customers’ rights to perform an audit of their data to ensure that iconik is fulfilling its obligations in the DPA.
Important Additions to our Terms and DPA
Some other significant changes to our Terms and DPA include:
- Clarification that user accounts have to be personal, not shared, in the Terms
- Adjustments to the notice period in the Terms
- New EU Standard Contract Clauses for transfers of data outside of EU/EEA as Appendix 3 of the DPA.
- Clarified technical details in Appendix 2 of the DPA
- New addresses of our data processing location and the purpose of processing for each subprocessor are in Appendix 1 of the DPA.
- New mailing address for iconik Media AB
It’s also important to know that iconik the terms and conditions supersede all other terms and conditions, whether those are in oral or written form. Only those terms and conditions are controlled or endorsed by iconik will in effect unless expressly stated otherwise by iconik. This also means that references to other terms and conditions in purchase orders, contracts, letters, e-mails, or any other method are not binding unless expressly stated otherwise by iconik. To arrange for custom terms, contact your iconik sales representative beforehand.
See the Updates or Inquire More
Iconik is committed to continued vigilance over all of our processes and agreements to ensure that we deliver the most secure and transparent service possible. If you have further questions about our updated Terms or DPA, you can contact us here.