Protecting transfers of personal data outside the EU and EEA
Mediaocean is committed to upholding global data privacy and security standards, including those set forth by the European Commission (“Commission”) in the updated Standard Contractual Clauses (“SCCs”) issued in June 2021.
Mediaocean implemented the new SCC framework in its contracting processes with new customers in September 2021 and these updated SCCs are incorporated by reference into existing signed agreements with customers with effect from 1 November 2022.
Mediaocean’s technical, operational and policy safeguards respond to the new SCC requirements
Like the previous SCCs, these clauses can be used to facilitate lawful transfers of data if certain conditions are met. Annex II to the SCCs provides a list of technical and organizational measures that provide adequate protection for personal data transfers to third countries. Our security measures align with these Annex II supplementary measures. Together with our focus on Privacy by Design and contractual commitments, Mediaocean’s policies and measures help global organizations meet the requirements of data privacy and protection regulations. For more details on any of these measures or policies, please contact us at firstname.lastname@example.org.
Appropriate legal protections
The Implementing Decision issued by the Commission on 4 June 2021 provides a helpful framework for the overall assessment of whether additional measures are needed to supplement the SCCs. When making the assessment, the parties are encouraged to consider factors such as:
- Reliable information on the application of the law in practice;
- The existence or absence of requests in the same sector; and
- The documented practical experience of the data exporter and/or data importer.
While not exempt from US laws permitting public authority surveillance, the nature of Mediaocean’s business means that we are not a likely target for US surveillance matters. In fact, the United States Department of Commerce has issued an official statement affirming that “most US companies do not deal in data that is of any interest to US intelligence agencies” and that the kinds of data transfers undertaken by most US companies do not present the type of privacy risk that concerned the European Court of Justice in the Schrems II case of 2020. The Department’s statement further clarifies that businesses whose operations involve “ordinary commercial products and services” with the transfer of personal data involving “ordinary commercial information like employee, customer or sales records” would have no basis to believe that US intelligence agencies would seek to collect such data.
In company history, Mediaocean has never been the subject of a public authority data request in the US or elsewhere. If Mediaocean were to receive such a request concerning the data of EU citizens, we would honor our obligations in compliance with Section III (“Local Laws and Obligations in Case of Access by Public Authorities”), Clause 14 (“Local laws and practices affecting compliance with the Clauses”) and Clause 15 (“Obligations of the data importer in case of access by public authorities”) as well as Section IV (“Final Provisions”), Clause 16 (“Non-compliance with the Clauses and termination”) of the SCCs.
Additional steps Mediaocean will take
In addition to the technical, operational and policy safeguards listed above, Mediaocean will also:
- Evaluate and where necessary complete Transfer Impact Assessments for all Subprocessors involved in processing activities; and
- Update all relevant Subprocessor agreements to comply with the new SCCs.
Applicability of the new clauses
The language of the clauses of the SCCs may not be varied. The SCCs form part of our signed contract with your organization, to protect the data flows outside the EU of any personal data you ask us to process under that contract. The applicable SCCs, modules reflect the relationship between the organization exporting the data (in this case, a company who is a client of Mediaocean) and the organization importing the data (Mediaocean). Mediaocean will be acting as a data processor for our client companies. The SCCs will apply to any agreement between Mediaocean and its customers that involves the transfer of personal data outside the EU, EEA, and replace the former versions of any SCCs in previously signed agreements.
Transfers outside the EU
Mediaocean commits to ensuring that any transfer of personal data outside the EU is carried out in compliance with the EU General Data Protection Regulation (“EU GDPR”). The EU SCCs will apply to customer data that is transferred outside the European Economic Area (EEA), either directly or via onward transfer, to any country not recognized by the European Commission as an adequate country. The SCCs will not apply to customer data that is not transferred, either directly or via onward transfer, outside the EEA. In relation to personal data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
- Module 2 will apply;
- In Clause 7, the optional docking clause will apply;
- In Clause 9, Option 2 (General Written Authorization) will apply, subject to the requirements set out in Annex III of this DPA, and the time period for prior notice of Subprocessor changes shall be thirty (30) days;
- In Clause 11, the optional language will not apply;
- In Clause 17, Option 1 will apply, and the EU SCCs will be governed by French law;
- In Clause 18(b), disputes shall be resolved before the courts of France
- With regard to Annex 1(a) of the EU SCCs, the customer shall be deemed to be the Data Exporter and Mediaocean shall be deemed to be the Data Importer. Annex I of the EU SCCs shall further be deemed completed with the information linked here and signed by the signature on the existing agreement between Mediaocean and the customer;
- Annex II of the EU SCCs shall be deemed completed with the information linked here; and
- Annex III of the EU SCCs shall be deemed completed with the information linked here.