We know that many organizations have questions about the General Data Protection Regulation, or GDPR, and their organization's obligations under the GDPR and its most recent developments. The privacy team here at KnowBe4 put together this guide to help clear the air on some of the most common pressing issues with the European Economic Area (EEA), Switzerland, and UK data transfers to assist you on your compliance journey. We hope that this guide will support your efforts in making a determination that there are adequate levels of protection in place for the processing of your personal data.

Although we go to great lengths to make sure our information is accurate and useful, we are not a law firm and cannot provide you with legal advice. This guide has been prepared for general information purposes only to provide you with information about doing business with KnowBe4, Inc. and its affiliates (KnowBe4). The information presented in this guide is not legal advice, is not to be acted on as such, may not be current, and is subject to change without notice.

Fiction: “Due to the Schrems II decision, United States data processors can no longer process European Union Personal data.”

Fact: Due to the Schrems II decision, the Court Justice of the European Union (CJEU) now requires the adoption of “supplementary measures” to provide legal certainty for data transfers. Organizations are now required to assess their international data transfers against the requirements of the CJEU and the European Data Protection Board (EDPB) among a few other requirements. The other requirements can be found here.

Although the ruling found that U.S. Law (Section 702 of the FISA and EO 12333) does not ensure an essentially equivalent level of protection for European personal data, the Foreign Intelligence Surveillance Act (FISA) should not directly impact KnowBe4’s operations. To date, KnowBe4 has not received any request under Section 702 of the FISA. Our processing activities are highly unlikely to be relevant to the foreign intelligence activities governed by Section 702.

Additionally, EO 12333 does not give the U.S. government the right to compel U.S. companies to provide assistance with the government's mass surveillance activities. As a result, KnowBe4 cannot be compelled to take any action to facilitate the type of mass surveillance under EO 12333 that the Schrems II decision deemed problematic. The CJEU indicated that the Standard Contractual Clauses can be used for transfers of personal data to the U.S where the Standard Contractual Clauses, together with any other safeguards that may be added, provide adequate protection for the personal data in light of Section 702 of the FISA and EO 12333.  

The KnowBe4 privacy team has put together this EU-US data transfer assessment to aid you in making a determination that there are adequate technical and organizational measures in place for the transfer and processing of your personal data. 

Fiction: “The Standard Contractual Clauses can no longer be used for the transfer of personal data to the United States.”

Fact: The Standard Contractual Clauses may still be used for data transfers to the United States with the appropriate supplementary technical and organizational security measures. The Standard Contractual Clauses are included in our data processing addendum which can be found here. The European Commission will be releasing a new set of standard contractual clauses in the coming months (expected Q1 or Q2 of 2021). KnowBe4 will continue to keep a close eye on any developments in order to ensure compliance with any new requirements set forth by European regulators.

Fiction: “The GDPR and the most recent data transfer developments require personal data to be stored in the European Union (EU).”

Fact: The GDPR and recent data transfer rulings do not require information to be stored within the EU. Personal data can still be transferred to countries with an adequate level of data protection, or to a country with a non-adequate level of data protection, as long as there is an appropriate legal mechanism in place. Although we offer some data to be stored within the EU, some data will continue to be processed in the United States. Our customers may rely on our standard contractual clauses in connection with the appropriate technical and organizational security measures located within our DPA as an appropriate legal mechanism for data transfer from the EU to the United States. For more information about our data centers, please visit knowbe4.com/security.