Why is Segment updating the Data Protection Addendum (DPA)?
We updated the DPA primarily to account for and incorporate the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA). These new SCCs are meant to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II. We also took this opportunity to revise and reformat our DPA to make it easier to read and understand.
These “new” modernized SCCs replace the 2001, 2004, and 2010 SCCs currently in use.
Does this impact me as a customer?
The updates to the DPA to incorporate the SCCs are only applicable to customers who use Segment to process EEA personal data. However, as noted above, we have also revised the DPA to make it easier to read and understand.
What do I need to do?
For those customers subject to our Online DPA, no action is required. The updated DPA will automatically become part of your agreement with us effective September 27, 2021.
If you have negotiated a separate DPA with Segment, which includes the prior version of the SCCs, those SCCs will remain in place and effective until December 27, 2022. If you would like to update them prior to December 27, 2022, please reach out to your Segment Account Executive. We are happy to accommodate your request to update to our new DPA at any point before or at your next renewal.
Are you making other changes to your DPA?
Yes and no. Our DPA integrates the requirements of the SCCs in a manner that does not allow us to simply strip out the prior version SCCs to be replaced with the new SCC module format, and more granular requirements of the new SCCs.
So, yes, we have made many changes to the DPA to make it an easier to read and understand document for all of our global customers (for example, moving EU-specific clauses to separate appendices), but also no, in that we have not made any substantive changes other than those related to the new SCCs.
When is the updated DPA effective?
The updated DPA will be automatically effective on September 27, 2021 for all Segment customers that have agreed to the terms of our Online DPA. New transfers (i.e. new contracts) made after September 27, 2021 must use the new SSCs because the prior versions of the SCCs are repealed effective as of this date.
I have negotiated the terms of my DPA directly with Segment (i.e., I am not subject to the standard online DPA terms). Do I need to update my DPA to account for new SCCs and when?
Yes, but there is a grace period. If you have negotiated a separate DPA with Segment that includes the prior EU-approved version of the SCCs, those SCCs will remain in place and effective until December 27, 2022. If you would like to update them prior to December 27, 2022, please reach out to your Segment Account Executive. We are happy to accommodate your requests to update to the new DPA at any point before or at your next renewal.
What changes do the EU’s new SCCs contain?
As mentioned above, the European Commission updated the SCCs to address more complex processing activities that exist in today’s world, the requirements of the GDPR, and the Schrems II decision, including requirements to apply additional transparency and notification controls covering government access requests, and to carry out and document an assessment of the laws of the third country to confirm that the local law in the importing country does not prevent Segment’s compliance with the terms in the SCCs.
The new SCCs are also modular so they can be tailored to the type of transfer. The prior version of the SCCs applied only to controller-controller and controller-processor transfers of personal data from the EU to countries without an adequacy decision by the European Commission. The updated clauses are expanded to also include processor-processor and processor-controller transfers.
When are SCCs applicable to me as a customer?
Segment relies on SCCs to transfer personal data outside the EEA, UK and Switzerland to the United States. This means that if you are using the Segment Services to transfer personal data originating from the EEA, the UK, and/or Switzerland, then the SCCs are the valid transfer mechanism to make such transfers.
Do the new SSCs apply to transfers of personal data from the UK to the US?
No. The original SCCs will continue to apply to transfers of personal data from the UK to the US until the UK recognizes the European Commission’s new SCCs or adopts its own version. For more information about UK data transfers, please view the ICO website on SCCs and data transfers here.