You may have heard about recent developments in Europe regarding international transfers of personal data. At FullStory, we monitor those developments closely, and get some frequently asked questions in this area.
FullStory also knows its Customers care deeply about data privacy. We too care deeply about privacy, and are passionate about protecting our Customer’s privacy rights.
FullStory is committed to being transparent about how it transfers Customer data, how it safeguards Customer data, and how it handles governmental or law enforcement requests for Customer data.
What are "international transfers" of personal data?
Under the General Data Protection Regulation, personal data that originates in the European Union or European Economic Area (the “EEA”) and the United Kingdom can only be lawfully transferred outside of those jurisdictions using specific legal mechanisms. Those legal mechanisms must ensure the personal data will receive an equivalent level of protection in the country it is transferred to.
How does FullStory lawfully transfer customer data outside of the European Economic Area and the United Kingdom?
FullStory utilizes Standard Contractual Clauses (“SCCs”) as the legal mechanism to lawfully transfer customer data outside of the EEA and the United Kingdom. Please see the “International Transfer” section of FullStory’s Privacy Policy for more information about its approach to lawful data transfer. Please note that IP addresses are included in this category, and it is lawful for FullStory to transfer IP addresses from the EEA or the United Kingdom to the U.S. subject to a lawful transfer mechanism.
Is FullStory using the new Standard Contractual Clauses issued by the European Commission in June 2021?
Yes. In June 2021, the European Commission issued modernized standard contractual clauses under the GDPR for data transfers from controllers or processors in the EEA to controllers or processors established outside the EEA.
Per that issuance, FullStory began using the new SCCs on September 27, 2021. FullStory is currently in the process of distributing the new SCCs to our current customers, within the permitted transition period, where its current data transfers are governed by the old SCCs.
Does FullStory have data processing agreements?
Yes. Last Fall, FullStory updated its Data Processing Agreement, which includes the new modernized standard contractual clauses. Per guidance from the European Commission, FullStory began using the new SCCs on September 27, 2021. FullStory is in the process of distributing the new SCCs to its current customers, within the permitted transition period, where our current data transfers are governed by the old SCCs. Per the European Commission mandate, companies have until December 27, 2022 to transition all their existing Customers to the new SCCs.
Has the Schrems II ruling affected FullStory?
No. While FullStory is Privacy Shield certified, FullStory does not rely on the Privacy Shield Framework for the transfer of personal data from the European Economic Area to the U.S. FullStory relies on SCCs as a legal mechanism to lawfully and validately transfer personal data to the United States.
Has FullStory Implemented any of the EDPB Recommendations?
Yes. Upon request, FullStory is happy to supply any customers or prospective customers with its detailed transfer impact assessment.
What is FullStory’s policy for what to do if they receive a governmental entity request for customer data?
FullStory will not voluntarily disclose customer data per a governmental or law enforcement request for data without a valid court-issued or other legally binding order, except in certain limited situations, such as when FullStory believes that disclosure is warranted by an emergency involving danger of death or serious physical injury.
Does FullStory have a process for what to do if they ever received a governmental entity request for customer data?
FullStory believes that government data requests should be limited in the information they seek, narrowly tailored and legitimate. FullStory maintains internal processes in which a limited group of legal and security personnel will review any request, in consultation with external legal advisors, to assess whether such request is narrowly tailored and lawful.
FullStory will resist blanket, bulk requests for data, and overly broad requests for data to the extent permitted by applicable law.
Who will FullStory inform if they receive a governmental entity request for customer data?
Except as prohibited by law, it is FullStory’s policy to first inform the relevant customer of governmental and law enforcement requests for their data.
Does FullStory’s stance on governmental entity requests for customer data apply to all Customers?
Yes. FullStory believes all Customers and persons deserve the same level of protection against governmental intrusion into their data. This means that we will review every governmental or law enforcement request for Customer with the same scrutiny, regardless of where the request originates or how big/small our Customers are.
Does FullStory believe they will receive a governmental request for information?
No. Due to the nature of our services and product offering, it is actually unlikely that we would receive such requests. To date, FullStory has not received a government access request to customer data (including requests for access under FISA 702 or direct access under EO 12333). While FullStory may be subject to the surveillance laws identified in the Schrems II decision, FullStory has not been subject to these types of requests in its day-to-day business operations, and it does not have a basis to believe that it would receive government requests to participate in such surveillance programs.
If you have further questions, please contact FullStory’s Privacy team at privacy@fullstory.com.