Follow

Transfer of Personal Data to the U.S.

At ClassDojo, we take our commitment to your privacy and data protection seriously, that's why every ClassDojo product is designed with privacy and security first. We believe you should have meaningful control over your data and know exactly how it is used.

As a US-based company, user data is stored in the United States. As such, certain jurisdictions require specific legal requirements are met in order to transfer this personal data from your location to the United States. When personal data is transferred outside of the European Economic Area (“EEA), the United Kingdom (“UK), or Switzerland, the General Data Protection Regulation, including as implemented or adopted under the laws of the UK (“GDPR”), requires specific conditions to be fulfilled to ensure an equivalent level of protection for this data. 

 

How can Personal Data from the EEA or UK be Lawfully Transferred to the U.S.?

International transfer of personal data is regulated under the GDPR to ensure the continued protection of personal data outside of the EEA, Switzerland, or UK.  To ensure this, the GDPR sets forth the mechanisms that may be used for international transfer. These include:

  • Adequacy decision delivered by the EU Commission where the EU Commission decided the recipient country ensures an adequate level of protection for personal data (e.g., Argentina, Canada, Israel, Japan, complete list available here); or
  • In the absence of an adequacy decision:
    • Article 49 derogations (such as consent); or
    • Appropriate safeguards (i.e. transfer mechanism) which can be outlined in a legally binding instrument, such as a contract between the parties. Following the decision of the Court of Justice of the European Union (CJEU) on July 16, 2020 (“Schrems II decision”), which invalidated the EU-US Privacy Shield, the following has been determined to be valid transfer mechanism under this approach:
      • The European Commission’s Standard Contractual Clauses (“SCCs”).

What Mechanism under the GDPR does ClassDojo use to Transfer Personal Data to the U.S? 

If you are based in the EEA, Switzerland, or the UK, in order to meet these legal requirements, we obtain explicit consent from individual users (e.g. data subjects) under the Article 49(a) derogation provided for in the  GDPR.  Additionally, where we are acting as a processor (as that term is defined under the GDPR) to schools located within the EEA, Switzerland, or the UK, and have a contractual relationship with these schools, we offer the SCC’s.  Please ask your School Leader to contact us at privacy@classdojo.com in order to obtain the SCCs to further assist with meeting the GDPR legal requirements regarding personal data transfer to the United States.  Please see the additional information set forth below regarding SCC’s prior to contacting us. 

If you started using ClassDojo from the EEA or Switzerland prior to July 16, 2020, the transfer of your data to the US was covered under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”). On July 16, 2020, the CJEU issued a ruling invalidating the EU-U.S. Privacy Shield program. Given this decision, for individual users with whom ClassDojo can not enter into SCC’s, ClassDojo must obtain explicit consent from data subjects in order for these users to continue to access and use the ClassDojo service.  

As of July 16, 2020, we no longer rely on the Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S, but continue to uphold our obligations and responsibilities for data transferred prior to this date under the Privacy Shield.  Additionally, even though we are not relying on the Privacy Shield as a transfer mechanism from the EEA, Switzerland or UK to the U.S., we have chosen to continue to comply with the Privacy Shield and its commitments to demonstrate our continued commitment to privacy. 

If you do not wish to provide consent, or you would like to withdraw your consent at a later time, you will need to either delete your account or request that we delete it for you by emailing us at privacy@classdojo.com.

 

Please read below for more context and information: 

General Data Protection Regulations (GDPR)

ClassDojo has complied with GDPR since it went into effect on May 25, 2018. You can learn more about ClassDojo's compliance with GDPR here. To make GDPR related data access, correction, deletion or data download requests, please submit a request to our Support Team using this form or by emailing us at privacy@classdojo.com.

 

How does the invalidation of the Privacy Shield framework affect data transfers from ClassDojo users in the EEA, Switzerland or the U.K. to the U.S.?

 

On July 16, 2020, the CJEU issued a ruling – the Schrems II decision - invalidating the  Privacy Shield program. As of July 16, 2020, we no longer rely on the Privacy Shield to transfer data that originated in the EEA, Switzerland, or the UK to the U.S, but continue to uphold our obligations and responsibilities for data transferred prior to this date under the Privacy Shield.  The U.S. Department of Commerce has made it clear that companies still need to meet their obligations under the Privacy Shield for data previously transferred under the Privacy Shield to the U.S. prior to the Privacy Shield invalidation. Given this, you will still see our statements related to Privacy Shield in our Privacy Policy, to confirm our obligations for any personal data that we previously transferred pursuant to the Privacy Shield. Additionally, even though we are not relying on the Privacy Shield as a transfer mechanism from the EEA, Switzerland or UK to the U.S., we have chosen to continue to comply with the Privacy Shield and its commitments to demonstrate our continued commitment to privacy.    

Article 49 of the GDPR provides for various mechanisms for international transfers of personal data, including consent, and ClassDojo currently relies on consent (for individual users) as a means of transfer to the United States as well as the SCCs when appropriate (as noted below) and where we are acting as a data processor (as that term is defined under the GDPR) to schools. 

 

Standard Contractual Clauses:

The European Commission’s SCCs are legal contracts entered into between parties that are transferring personal data outside of the EEA, Switzerland and the UK into the U.S.  The initial SCC’s were drafted and approved by the European Commission in 2010.  Following the Schrems II decision, the European Commission published a new draft of the SCC’s to incorporate the requirements of GDPR and the Schrems II decision with the final version published on June 4, 2021 (the “New SCCs”).  The European Commission granted companies a transitional period of 18 months to implement the New SCCs in their existing contracts that contained the initial SCCs.  For any new contracts, companies have until September 27, 2021, to still utilize the initial  SCCs.  However, due to Recital 7 in the New SCCs, there remains a question of whether the New SCC’s can be used by U.S. companies subject to the GDPR.  Due to this, ClassDojo is continuing to await additional guidance before providing the New SCCs where we do not have existing contracts with schools.  Please see below for more information: 

 

 

Existing Contracts:

  • For any school that previously contracted with ClassDojo with the initial SCCs, these contracts are still valid until December 27, 2022. For any additional information regarding Section 702 or our supplementary measures, please see our FAQ here.  Additionally, if you are a UK school, you should be aware that the UK has not approved the New SCCs and thus, the initial SCCs must still be used. 

New Contracts:

  • UK schools: ClassDojo has SCCs incorporated into our International Student Data Processing Agreement. The UK has not approved the New SCCs so the initial SCCs must be used in order to be a valid transfer mechanism under the GDPR If you would like to review or enter into ClassDojo's International DPA please reach out to privacy@classdojo.com for more information.
  • EEA or Switzerland based schools: ClassDojo will incorporate the New SCCs into our International Student Data Processing Agreement once we receive more guidance from the European Commission regarding Recital 7.  If you would like to review or enter into ClassDojo's International DPA please reach out to privacy@classdojo.com for more information.

If you would like to review or enter into ClassDojo's International DPA please reach out to privacy@classdojo.com for more information. 

 

Additional Resources:

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk