An Update On The New Standard Contractual Clauses & EDPB Guidance

Box is committed to offering products and services with best-in-class privacy protection, security, and compliance. We previously shared a blog post with an update on what we've done since the invalidation of Privacy Shield by the Court of Justice of the European Union (CJEU) and discussed the safeguards and transparency measures we have in place. 

Today, we're sharing the proactive steps that Box has taken to continue to safeguard customer personal data in the Box Service, how these steps will help customers align with the highly anticipated finalized guidance on Supplementary Measures and Guarantees issued by the European Data Protection Board (EDPB), and the business impact of the new set of Standard Contractual Clauses (new SCCs) adopted by the European Commission.

To support our customers in meeting their business, privacy, security, and regulatory needs, Box is committed to implementing all necessary SCCs within the required timeframe. 

At this time, the new SCCs are not applicable to transfers of personal data from the U.K. to third-party countries.

Box is Committed to Securing Customer Personal Data

On June 21, 2021, the EDPB published the finalized guidance on Supplementary Measures and Essential Guarantees for cross-border data transfers. This finalized EDPB guidance requires controllers and processors to assess each of their transfers of personal data outside of the European Economic Area (EEA) to ensure technical, contractual and organizational measures are implemented to guarantee an adequate level of protection when transferring personal data. 

In light of the issuance of the finalized EDPB guidance, we recognize that our customers may have additional questions about how Box safeguards customer personal data. To support our customers in meeting their due diligence obligations as controllers under General Data Protection Regulation (GDPR), and to comply with our own Article 28 obligations as a processor, we've issued a Due Diligence and Supplementary Measures Report, available upon request. Our Due Diligence and Supplementary Measures Report also explains how we support our customers through implementation of supplementary measures recommended by the EDPB, such as strong industry recognized encryption of personal data in transit and at rest, encryption key management, and technical access controls.

To request a copy of the Due Diligence and Supplementary Measures Report, please email us at privacy@box.com.

New Standard Contractual Clauses - the future of data transfers for customers doing business in the EEA

The new SCCs issued by the European Commission came into force on June 27, 2021, replacing the SCCs that were originally developed under the predecessor of GDPR, the European Union Directive 95/46/EC (original SCCs). The new SCCs are intended to reflect the growing digital business economy, the increased complexity of data processing operations, and the potential for multiple parties to be involved in processing activities. In contrast to the original SCCs, the new SCCs follow a modular approach where specific sets of clauses can be used for cross-border data transfers. 

The new SCCs impact businesses engaged in transfers of personal data from the EEA to countries that have not been deemed adequate by the European Commission. Depending on whether you're a new or current customer, the timeline of applicability of the new SCCs will vary as described in further detail below.

New Box Customers Doing Business in the EEA.

After September 27, 2021, the original SCCs will cease to be valid for future use with new Box customers. This means that after September 27, new Box customers requesting a Data Processing Addendum (DPA) will have an opportunity to review and accept an updated DPA that incorporates the new SCCs on the Box GDPR website.

Current Box Customers Doing Business in the EEA

Current customers that have the original SCCs in place with Box will have until December 27, 2022 to transition to the new SCCs for existing data transfers. To maintain compliance with GPDR data transfer obligations, we encourage our current Box customers doing business in the EEA to review and accept an updated DPA with the new SCCs on the Box GDPR website prior to the end of 2022. 

Box Customers Doing Business in the U.K

Box is committed to adhering to one of the most comprehensive data protection frameworks and transfer mechanisms - Binding Corporate Rules (BCRs). Based on guidance issued by the United Kingdom’s Information Commissioner’s Office (ICO), Box customers relying on the UK BCRs can to continue do so, as Box’s Processor and Controller BCRs remain viable in the U.K. 

However, to ensure an additional lawful data transfer mechanism is in place, we encourage customers to review and accept the updated Box DPA and new SCCs on the Box GDPR website. Box's updated DPA now includes provisions to ensure automatic applicability of the U.K. SCCs once they are adopted by the ICO so that our customers may continue to make lawful data transfers from the U.K. to elsewhere.

Contact Box to Learn More

We value you - our customers - and we remain vigilant in our commitment to supporting your data privacy protection needs. As the regulatory landscape evolves, we'll continue monitoring the situation to ensure Box meets customers' business, legal, security, and regulatory needs.  To learn more about our data privacy efforts, or if you have any questions regarding the DPA or new SCCs, please email privacy@box.com.