At ClassDojo, we take our commitment to your privacy and data protection seriously, that's why every ClassDojo product is designed with privacy and security first. We believe you should have meaningful control over your data and know exactly how it is used. As a US-based company, user data is stored in the United States. As such, certain jurisdictions require specific legal requirements to be met in order to transfer this personal data from your location to the United States. When personal data is transferred outside of the European Economic Area (“EEA), the United Kingdom (“UK”), or Switzerland, the General Data Protection Regulation, including as implemented or adopted under the laws of the UK (“GDPR”), requires specific conditions to be fulfilled to ensure an equivalent level of protection for this data.
How can Personal Data from the EEA or UK be Lawfully Transferred to the U.S.?
International transfer of personal data is regulated under the GDPR to ensure the continued protection of personal data outside of the EEA, Switzerland, or UK. To ensure this, the GDPR sets forth the mechanisms that may be used for international transfer. These include:
- Adequacy decision delivered by the EU Commission where the EU Commission decided the recipient country ensures an adequate level of protection for personal data, list of countries available here; or
- In the absence of an adequacy decision:
- Article 49 derogations (such as consent); or
- Appropriate safeguards (i.e. transfer mechanism) which can be outlined in a legally binding instrument, such as a contract between the parties. Following the decision of the Court of Justice of the European Union (CJEU) on July 16, 2020 (“Schrems II decision”), which invalidated the EU-US Privacy Shield, the following has subsequently been determined to be valid transfer mechanism under this approach:
- The European Commission’s Standard Contractual Clauses (“SCCs”).
- draft adequacy opinion which is awaiting formal adoption.
What Mechanism under the GDPR does ClassDojo use to Transfer Personal Data to the U.S.?
Article 49 of the GDPR provides for various mechanisms for international transfers of personal data, including consent, and ClassDojo currently relies on consent (for individual users) as a means of transfer to the United States as well as the SCCs when appropriate (as noted below) and where we are acting as a data processor (as that term is defined under the GDPR) to schools.
Individual Users
If you are based in the EEA, Switzerland, or the UK, in order to meet these legal requirements, we obtain explicit consent from individual users (e.g. data subjects) when ClassDojo collects this information directly from users under Article 49(a) derogation provided for in the GDPR where ClassDojo is acting as a controller (as that term is defined under GDPR).
Please note guidance from the European Data Protection Board (“EDPB”) that this direct collection from users may not in fact constitute a transfer under Chapter V of the GDPR as an individual user is neither a controller nor processor. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
If you do not wish to provide consent, or you would like to withdraw your consent at a later time, you will need to either delete your account or request that we delete it for you here.
When ClassDojo is Acting as a Processor
Additionally, where we are acting as a processor (as that term is defined under the GDPR) to schools located within the EEA, Switzerland, or the UK, and have a contractual relationship with these schools, we offer the SCCs. Please ask your School Leader to contact us at privacy@classdojo.com in order to obtain the SCCs to further assist with meeting the GDPR legal requirements regarding personal data transfer to the United States. Please note this section below regarding SCCs prior to contacting us.
Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework instead of the SCC’s as the transfer mechanism.
Privacy Shield
If you started using ClassDojo from the EEA or Switzerland prior to July 16, 2020, the transfer of your data to the US was covered under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”). On July 16, 2020, the CJEU issued a ruling invalidating the EU-U.S. Privacy Shield program. Given this decision, for individual users with whom ClassDojo can not enter into SCCs, and from whom ClassDojo collects personal information directly, ClassDojo obtains explicit consent from data subjects in order for these users to continue to access and use the ClassDojo service.
Although we no longer rely on the Privacy Shield, we have chosen to continue to adhere to its principles and uphold our obligations and responsibilities for data transferred before the invalidation under the framework. The United States Department of Commerce is clear that companies are still accountable under the Privacy Shield for data transferred to the United States prior to the invalidation. Given this, our Privacy Policy contains statements related to the Privacy Shield to confirm our obligations for any personal data that we previously transferred under the framework.
Please note guidance from the European Data Protection Board (“EDPB”) that this direct collection from users may not in fact constitute a transfer under Chapter V of the GDPR as an individual user is neither a controller nor processor. Once the new Privacy Framework is fully operational, ClassDojo will rely on the Privacy Framework as the transfer mechanism.
General Data Protection Regulations (GDPR)
Learn more about ClassDojo's compliance with GDPR here. To make GDPR-related data access, correction, deletion, or data download request(s), use this form or email privacy@classdojo.com.
Standard Contractual Clauses:
The European Commission’s SCCs are legal contracts entered into between parties that are transferring personal data outside of the EEA, Switzerland, and the UK into the U.S. The initial SCCs were drafted and approved by the European Commission in 2010. Following the Schrems II decision, the European Commission published a new draft of the SCCs to incorporate the requirements of GDPR and the Schrems II decision with the final version published on June 4, 2021 (the “New SCCs”). However, due to Recital 7 in the New SCCs, there remained a question of whether the New SCCs can be used by U.S. companies subject to the GDPR. This question was answered in guidance from the EDPB on November 18, 2021, where the EDPB stated that where the importer is subject to GDPR (such as ClassDojo), a transfer tool is needed, but that it is not the New SCCs. The EDPB further announced that it stands ready to cooperate in the development of such a transfer tool, such as a new set of Standard Contractual Clauses (“SCCs Lite”), to apply in this situation where data importers are subject to GDPR.
Due to this, ClassDojo is continuing to await additional guidance before providing the New SCCs where we do not have existing contracts with schools, but can also enter into GDPR-specific Data Protection Addendums without the New SCCs to provide required GDPR protections and meet GDPR requirements separate from the transfer mechanism. Additionally, given the new Privacy Framework, ClassDojo will also be using the Privacy Framework as the transfer mechanism (once operational) and will not rely on the SCCs Lite or the New SCCs. Please see below for more information:
Existing Contracts:
- UK Schools: ClassDojo has SCCs incorporated into our prior UK International Student Data Processing Addendum (“Prior UK DPA”). The ICO has specified that any contracts entered into prior to September 21, 2022 and using the SCCs (e.g. through ClassDojo’s Prior UK DPA) will continue to be valid until March 21, 2024. For any UK school that previously contracted with ClassDojo with the initial SCCs, these contracts are still valid until March 21, 2024. For any additional information regarding Section 702 or our supplementary measures, please see our FAQ here. Additionally, if you would like to receive a copy of our Transfer Impact Assessment (“TIA”), please email privacy@classdojo.com. The “Supplemental Measures” listed within the TIA are measures in place prior to the recently announced and enhanced U.S. Government safeguards, which will be implemented in connection with the new Privacy Framework (but can be used for any transfer mechanism).
- EEA or Switzerland-based schools: Post December 27, 2022, all prior use of the SCC’s are no longer allowed as a valid transfer mechanism; however, the International Student Data Processing Addendum you previously entered into to provide required GDPR protections and meet GDPR requirements (separate from the transfer mechanism) still remain valid. We are continuing to await guidance on the SCCs Lite or the allowed use of the New SCCs for importers subject to GDPR, such as ClassDojo.
New Contracts:
- UK schools: Additionally, ClassDojo is awaiting further details on whether the Privacy Framework will also be extended to the UK. For any new contracts entered into post-September 21, 2022, please email privacy@classdojo.com for more information on how to execute an International Data Processing Addendum with the UK Addendum.
- EEA or Switzerland-based schools: ClassDojo will incorporate the SCCs Lite into our International Student Data Processing Addendum once these are developed and adopted and we receive more guidance from the European Commission and the EDPB. ClassDojo can also enter into GDPR-specific Data Protection Addendums without the New SCCs (which, as mentioned above, the guidance from the EDPB stated that where the importer is subject to GDPR, such as ClassDojo, the New SCCs can’t be used) to provide required GDPR protections and meet GDPR requirements. If the new Privacy Framework is operational prior to the SCCs Lite being developed, ClassDojo will rely on the new Privacy Framework as the transfer mechanism and will not rely on the SCCs Lite. If you would like to review or enter into ClassDojo's International Student Data Processing Addendum, please email privacy@classdojo.com.
Transfer Impact Assessment:
For any additional information regarding Section 702 or our supplementary measures, please see our FAQ here. Additionally, if you would like to receive a copy of our Transfer Impact Assessment (“TIA”), please contact privacy@classdojo.com. The “Supplemental Measures” listed within the TIA are measures in place prior to the recently announced and enhanced U.S. Government safeguards, which will be implemented in connection with the new Privacy Framework (but can be used for any transfer mechanism).
Additional Resources:
- ClassDojo's Trust Center
- ClassDojo's Privacy Policy
- ClassDojo's Information Transparency page
- ClassDojo's Security Whitepaper
Comments