Privacy Shield compliance

Hubstaff is Privacy Shield certified

Hubstaff retains customer data in the United States and is certified under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

Though Privacy Shield has been declared “invalid” by the Court of Justice of the European Union in the Schrems II case (see below for more information), Hubstaff maintains its certifications and continues to meet its obligations under the EU-U.S. and Swiss-U.S. Privacy Shield frameworks.

Standard Contractual Clauses

Hubstaff utilizes the EU’s Standard Contractual Clauses (“SCCs”) as an alternate legal transfer basis to Privacy Shield. Hubstaff’s Data Processing Addendum (DPA) incorporates the SCCs and is incorporated by reference into, and made a binding part of our Terms of Service and Agreement (as defined in our Terms of Service) with Hubstaff users. Please see our Data Processing Agreement for more information.

Privacy Shield Invalidation

On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

On September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework.

The U.S. Department of Commerce continues to administer the Privacy Shield program, including processing submissions for self-certification and re-certification to the Privacy Shield Frameworks and maintaining the Privacy Shield List. If you have questions, please contact the European Commission, the appropriate European national data protection authority or legal counsel.

Questions & Contact

If you have any questions, comments, or concerns related to the Privacy Shield certification, please feel free to contact us.

Hubstaff has appointed a data protection officer (DPO). You may contact Hubstaff’s DPO Jared Brown at jared@hubstaff.com.