You may have heard about the CJEU’s recent ruling on EU data transfers. We’ve created this FAQs page to address any concerns you have about the decision and how it impacts your use of Sentry.
Prior to the Schrems II decision (Case C‑311/18), Sentry relied on the EU-US Privacy Shield as the data transfer mechanism for EU data transfers. Now that the CJEU has held in its July 16, 2020 ruling that the Privacy Shield is an invalid data transfer mechanism, Sentry will rely instead on the Standard Contractual Clauses (SCCs) to transfer EU data to the U.S. Even as it invalidated the Privacy Shield, the CJEU confirmed in Schrems II that the Standard Contractual Clauses (SCCs) can be used to transfer data outside the EU in compliance with the GDPR.
Yes. The SCCs are contractual terms that allow companies to transfer and process data outside the EU in compliance with the GDPR. They were approved by the European Commission and are the primary mechanism for data transfers/ You will find the Sentry SCCs in our newly revised Data Processing Addendum.
Sentry has put in place a number of measures to ensure that customer data remains protected in compliance with the GDPR, even when it is processed in the US.
You can find out more about our security program on our Security page.
Sentry considers any government request for data very carefully. This includes both requests from law enforcement as well as national security agencies. As a policy, we only respond to requests where we are legally compelled to do so – for example, where we have received a court order, subpoena, warrant, or other valid legal process that legally requires us to provide access to the data. We will also notify you of any requests that we receive, except where we are legally prevented from doing so.
Take a look at our transparency report for more information.
No! Although the CJEU invalidated the EU-US Privacy Shield, it didn’t say that all data transfers to the U.S. are illegal or that data should no longer be transferred to the U.S. In fact, the CJEU confirmed that companies can transfer data outside the EU – including to the U.S. – so long as they have implemented adequate safeguards to protect the data. There has been a lot of confusion on this topic, so we want to take a moment to explain.
Firstly, the CJEU said that the SCCs can be used to transfer data.
Secondly, it said that companies relying on the SCCs (the “data exporter” and “data importer”) must assess whether the data which is subject to the transfer will remain protected according to EU standards.
In some cases, the SCCs will be enough on their own to satisfy this requirement. In other cases, the parties may need to agree on “additional measures” (also referred to as “supplementary measures”) alongside the SCCs. Like many other US companies, we eagerly await further guidance from EU regulators and the European Data Protection Board (EDPB) that we hope will provide more clarity on what these “additional measures” should look like.
Yes! We want to reassure you that Sentry is committed to protecting your data and complying with the GDPR. The Schrems II decision does not affect the strong data privacy protections we have put in place to ensure that customer data remains protected when it is transferred to, and stored in, the U.S.
Before Schrems II, Sentry relied on the Privacy Shield to receive customer data from Europe. From now on, we’ll be making use of the SCCs to ensure we can continue to receive and process customer data from Europe in compliance with the GDPR.
We have already updated our standard Data Processing Addendum (DPA) to ensure that the SCCs are automatically incorporated in all our agreements. You can view our DPA at https://sentry.io/legal/dpa/2.0.0/.
To accept the DPA, follow these instructions.
Unfortunately, we are not able to provide individual responses to requests for verification forms. However, we have specifically developed these FAQs to answer our customer’s queries and concerns regarding Sentry’s compliance with EU/UK data export laws and which we therefore hope will go some way to meeting your concerns. If you have any remaining questions, please get in touch with us at firstname.lastname@example.org.
Our transparency report is at https://sentry.io/legal/transparency-report/.