At ClassDojo, we take our commitment to your privacy and data protection seriously, that's why every ClassDojo product is designed with privacy and security first. We believe you should have meaningful control over your data and know exactly how it is used. As a US-based company, user data is stored in the United States. As such, certain jurisdictions require specific legal requirements are met in order to transfer this personal data from your location to the United States. When personal data is transferred outside of the European Economic Area (“EEA), the United Kingdom (“UK”), or Switzerland, the General Data Protection Regulation, including as implemented or adopted under the laws of the UK (“GDPR”), requires specific conditions to be fulfilled to ensure an equivalent level of protection for this data.
How can Personal Data from the EEA or UK be Lawfully Transferred to the U.S.?
International transfer of personal data is regulated under the GDPR to ensure the continued protection of personal data outside of the EEA, Switzerland, or UK. To ensure this, the GDPR sets forth the mechanisms that may be used for international transfer. These include:
- Adequacy decision delivered by the EU Commission where the EU Commission decided the recipient country ensures an adequate level of protection for personal data (e.g., Argentina, Canada, Israel, Japan, complete list available here); or
- In the absence of an adequacy decision:
- Article 49 derogations (such as consent); or
- Appropriate safeguards (i.e. transfer mechanism) which can be outlined in a legally binding instrument, such as a contract between the parties. Following the decision of the Court of Justice of the European Union (CJEU) on July 16, 2020 (“Schrems II decision”), which invalidated the EU-US Privacy Shield, the following has been determined to be valid transfer mechanism under this approach:
- The European Commission’s Standard Contractual Clauses (“SCCs”).
What Mechanism under the GDPR does ClassDojo use to Transfer Personal Data to the U.S?
If you are based in the EEA, Switzerland, or the UK, in order to meet these legal requirements, we obtain explicit consent from individual users (e.g. data subjects) when ClassDojo collects this information directly from users under Article 49(a) derogation provided for in the GDPR where ClassDojo is acting as a controller (as that term is defined under GDPR). *Please note as well that there is new guidance from the European Data Protection Board (“EDPB”) that this direct collection from users may not in fact constitute a transfer under Chapter V of the GDPR as an individual user is neither a controller nor processor. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
Additionally, where we are acting as a processor (as that term is defined under the GDPR) to schools located within the EEA, Switzerland, or the UK, and have a contractual relationship with these schools, we offer the SCCs. Please ask your School Leader to contact us at privacy@classdojo.com in order to obtain the SCCs to further assist with meeting the GDPR legal requirements regarding personal data transfer to the United States. Please see the additional information set forth below regarding SCCs prior to contacting us. *Note that once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework instead of the SCCs as the transfer mechanism.
If you started using ClassDojo from the EEA or Switzerland prior to July 16, 2020, the transfer of your data to the US was covered under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”). On July 16, 2020, the CJEU issued a ruling invalidating the EU-U.S. Privacy Shield program. Given this decision, for individual users with whom ClassDojo can not enter into SCCs, and from whom ClassDojo collects personal information directly, ClassDojo obtains explicit consent from data subjects in order for these users to continue to access and use the ClassDojo service. *Please note as well that there is new guidance from the European Data Protection Board (“EDPB”) that this direct collection from users may not in fact constitute a transfer under Chapter V of the GDPR as an individual user is neither a controller nor processor. Additionally, once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
As of July 16, 2020, we no longer rely on the Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S, but continue to uphold our obligations and responsibilities for data transferred prior to this date under the Privacy Shield. Additionally, even though we are not relying on the Privacy Shield as a transfer mechanism from the EEA, Switzerland, or UK to the U.S., we have chosen to continue to comply with the Privacy Shield and its commitments to demonstrate our continued commitment to privacy. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
If you do not wish to provide consent, or you would like to withdraw your consent at a later time, you will need to either delete your account or request that we delete it for you by emailing us at privacy@classdojo.com.
Please read below for more context and information:
General Data Protection Regulations (GDPR)
ClassDojo has complied with GDPR since it went into effect on May 25, 2018. You can learn more about ClassDojo's compliance with GDPR here. To make GDPR related data access, correction, deletion or data download requests, please submit a request to our Support Team using this form or by emailing us at privacy@classdojo.com.
How does the invalidation of the Privacy Shield framework affect data transfers from ClassDojo users in the EEA, Switzerland or the U.K. to the U.S.?
On July 16, 2020, the CJEU issued a ruling – the Schrems II decision - invalidating the Privacy Shield program. As of July 16, 2020, we no longer rely on the Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S, but continue to uphold our obligations and responsibilities for data transferred prior to this date under the Privacy Shield. The U.S. Department of Commerce has made it clear that companies still need to meet their obligations under the Privacy Shield for data previously transferred under the Privacy Shield to the U.S. prior to the Privacy Shield invalidation. Given this, you will still see our statements related to Privacy Shield in our Privacy Policy, to confirm our obligations for any personal data that we previously transferred pursuant to the Privacy Shield. Additionally, even though we are not relying on the Privacy Shield as a transfer mechanism from the EEA, Switzerland, or UK to the U.S., we have chosen to continue to comply with the Privacy Shield and its commitments to demonstrate our continued commitment to privacy. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
Article 49 of the GDPR provides for various mechanisms for international transfers of personal data, including consent, and ClassDojo currently relies on consent (for individual users) as a means of transfer to the United States as well as the SCCs when appropriate (as noted below) and where we are acting as a data processor (as that term is defined under the GDPR) to schools. *Please note as well that there is new guidance from the European Data Protection Board (“EDPB”) that this direct collection from users may not in fact constitute a transfer under Chapter V of the GDPR as an individual user is neither a controller nor processor. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
Standard Contractual Clauses:
The European Commission’s SCCs are legal contracts entered into between parties that are transferring personal data outside of the EEA, Switzerland, and the UK into the U.S. The initial SCCs were drafted and approved by the European Commission in 2010. Following the Schrems II decision, the European Commission published a new draft of the SCCs to incorporate the requirements of GDPR and the Schrems II decision with the final version published on June 4, 2021 (the “New SCCs”). The European Commission granted companies a transitional period of 18 months to implement the New SCCs in their existing contracts that contained the initial SCCs. However, due to Recital 7 in the New SCCs, there remained a question of whether the New SCCs can be used by U.S. companies subject to the GDPR.
This question was recently answered in guidance from the EDPB on November 18, 2021, where the EDPB stated that where the importer is subject to GDPR (such as ClassDojo), a transfer tool is needed, but that it is not the New SCCs. The EDPB further announced that it stands ready to cooperate in the development of such a transfer tool, such as a new set of Standard Contractual Clauses (“SCCs Lite”), to apply in this situation where data importers are subject to GDPR. Due to this, ClassDojo is continuing to await additional guidance before providing the New SCCs where we do not have existing contracts with schools. Additionally, given the new Trans-Atlantic Privacy Framework (“Privacy Framework”), ClassDojo will also be using the Privacy Framework as the transfer mechanism (once operational) and will not rely on the SCCs Lite or the New SCCs. On December 13, 2022 the European Commission launched the process toward the adoption of an adequacy decision for the Privacy Framework.
Existing Contracts:
For any school that previously contracted with ClassDojo with the initial SCCs, these contracts are still valid until December 27, 2022 for the European Union and March 21, 2024 for the UK. For any additional information regarding Section 702 or our supplementary measures, please see our FAQ here.
New Contracts:
UK schools: ClassDojo has SCCs incorporated into our International Student Data Processing Agreement. that any contracts entered into prior to September 21, 2022, and using the SCCs (e.g. through ClassDojo’s Current UK DPA) will continue to be valid until March 21, 2024. ClassDojo is awaiting additional guidance from the ICO on both the IDTA and the UK Addendum and will continue to use its Current UK DPA until September 21, 2022. Additionally, ClassDojo is awaiting further details on whether the Privacy Framework will also be extended to the UK. If you would like to review or enter into ClassDojo's Current UK DPA please reach out to privacy@classdojo.com
EEA or Switzerland-based schools: ClassDojo will incorporate the SCCs Lite into our International Student Data Processing Agreement once these are developed and adopted and we receive more guidance from the European Commission and the EDPB. If the new Privacy Framework is operational prior to the SCCs Lite being developed, ClassDojo will rely on the new Privacy Framework as the transfer mechanism and will not rely on the SCCs Lite. If you would like to review or enter into ClassDojo's International DPA please reach out to privacy@classdojo.com for more information.
Additional Resources:
- ClassDojo's Trust Center
- ClassDojo's Privacy Policy
- ClassDojo's Information Transparency page
- ClassDojo's Security Whitepaper
Comments