Visier Data Transfer Impact Assessment Info Sheet
Current as of August 2023
Please note that this document is for informational purposes only and does not constitute legal advice. Visier customers are responsible for conducting their own independent risk assessment of data transfers in connection with their use of Visier services. Visier’s obligations to customers are outlined in the respective customer agreements and this document does not form part of, or modify, any agreement between Visier and Visier customers.
The European Commission (EC) and UK Standard Contractual Clauses (SCCs) require that a Data Transfer Impact Assessment (DTIA) be performed when transferring personal data outside of the EU/EEA and the UK to countries without an adequate data protection level (referred to as third countries). Organizations are required to carry out risk assessments of the laws and practices in the third countries they transfer data to particularly in regards to law enforcement authorities or security services demanding access or intercepting the personal data transferred.
At Visier, we transfer our customers’ personal data outside the EU/EEA and the UK as necessary to provide the services, including for the purposes of hosting, support, security, and sub-processing. The personal data we process depends on the services a customer subscribes to, how they configure and use our services, and what personal data the customer submits to us for processing.
We put together the following DTIA information to assist our customers in performing their own assessment with respect to their use of our services. Our intent is to help customers understand where personal data transfers to third countries occur as well as any supplementary measures we have taken, and require our own vendors to take, to safeguard our customers’ personal data.
See Schedule 1 of the Visier Data Privacy Addendum (DPA) for information on the nature of our processing activities in connection with the provision of our services; the types of personal data we process and transfer; and the categories of data subjects.
See Schedule 1 of the Visier DPA. Visier customers may elect to transfer special categories of personal data but we do not require customers to submit this type of data.
The purposes for which we process customers’ personal data is described in Schedule 1 of the Visier DPA.
We use sub-processors to provide our services. These sub-processors may act as data importers. Our sub-processors are listed on the Visier Trust site and the list includes the details on location/country of each sub-processor.
Customers choose one of the following data center locations: U.S., Germany, Canada, and Singapore. Customer data is stored exclusively in the selected region unless otherwise authorized by a customer.
The European Commission (EC) has determined that certain countries outside the European Economic Area (EEA) adequately protect personal data, which means that data can be transferred from the European Union (EU) and Norway, Liechtenstein and Iceland to that third country without any further safeguard being necessary. The UK and Switzerland have approved similar adequacy decisions.
The UK and Canada’s privacy laws have been recognized by the EC as meeting the adequacy requirement for the protection of personal data.
The U.S. Department of Commerce developed the EU-U.S. Data Privacy Framework (EU-U.S. DPF) to facilitate international data transfers. The EC has adopted an adequacy decision for the EU-U.S. DPF concluding that the US ensures an adequate level of protection for personal data transferred under the EU-U.S. DPF from a controller or processor in the EU to certified organizations in the US.
Following the adequacy decision, Visier relies on the EU-U.S. DPF as a legal basis for transfers of personal data from the EU to the U.S. Visier will rely on the UK extension to the EU-U.S. DPF and the Swiss-U.S. DPF when applicable local authorities approve the adequacy decisions. In the meantime, Visier continues, and will continue to offer a DPA which includes the SCCs as a transfer mechanism with every customer who needs one, in addition to reliance on the EU-U.S. DPF.
We have concluded the SCCs with all data recipients including amongst the Visier group of companies.
In order to provide our services, we may disclose customer data to our subsidiaries/affiliates and authorized sub-processors. These onward transfers are only made as necessary to deliver our services in accordance with our customers’ agreements and customers’ instructions.
We have no reason to believe that we or our US-based sub-processors would be subject to US surveillance under FISA 702, EO 12333, or the CLOUD Act.
FISA Section 702 allows US government authorities to issue orders to certain types of companies in the US about certain individuals located outside the US for the purposes of foreign intelligence information gathering. These orders may only be issued to “electronic communications service providers'' as defined under FISA. Our position is that we are not an “electronic communications service provider,” and as such are not subject to requests to access personal data under FISA 702.
EO 12333 authorizes intelligence agencies to conduct surveillance outside of the US, in particular, to collect foreign signals intelligence information collected from communications and other data passed by radio, wire and electromagnetic means. EO 12333 cannot authorize the US government to require any company or person to disclose data; instead, it must rely on a statute such as FISA 702 to collect data. In addition, bulk data collection is prohibited under EO 12333. We do not believe that EO 12333 introduces a substantial risk to our customers with respect to the use of our services. The type of data that our customers send to us as part of their use of the services do not constitute the types of data that are relevant for the US government during intelligence operations. Furthermore, we encrypt data when in transit and the risk of intercepting customer data in the clear is low.
The CLOUD Act is part of the US Stored Communications Act (SCA). The SCA only permits US public authorities to request data from “electronic communications service providers.” Our position is that our services are not an electronic communications service subject to the SCA. As such, we would not be subject to requests under the CLOUD Act for that data.
Surveillance in India takes place primarily under two laws - the Telegraph Act, 1885 and the Information Technology Act, 2000. A comprehensive data protection law to address the gap in existing frameworks for surveillance is yet to be enacted. Under the existing laws, the Indian government can intercept communications only in certain, limited situations and the Indian courts have stepped in several times against unlimited surveillance.
All India-based companies could be subject to clandestine surveillance by Indian government authorities for data in transit; however, we have no reason to believe our India-based sub-processors would be subject to Indian surveillance based on the types of data that our customers send to us as part of their use of the services.
Public agencies in Singapore are not subject to the data protection provisions under the Singapore Personal Data Protection Act (PDPA); rather they have their own set of data protection rules which all public agencies must comply with.
There are certain laws in Singapore that empower Singapore authorities to access and seize data stored in Singapore, whether for domestic purposes or at the request of a foreign country. These laws include the Telecommunications Act; Official Secrets Act; Prevention of Corruption Act; Foreign Interference Act. However, depending on the laws there are safeguards in place in relation to the exercise of such power such as a requirement to obtain a court order.
All Singapore-based companies could be subject to clandestine surveillance by Singapore public authorities for data in transit; however, we have no reason to believe our Singapore-based sub-processors would be subject to Singapore surveillance based on the types of data that our customers send to us as part of their use of the services.
To date, we have never received a US National Security Request, including requests for access under FISA 702, the CLOUD Act, or direct access under EO 12333, in connection with customers’ personal data.
In addition, we have never disclosed any personal data from any customer to any government authority.
We take privacy and security of our customers’ data seriously and have implemented technical, contractual, and organizational measures to safeguard the data entrusted to us.
To learn more, please visit the Visier Trust site.
We have conducted our own DTIAs with respect to processing of personal data in connection with Visier services. These assessments include legal interpretation and analysis and we do not provide legal counsel or results of internal assessments to customers. Customers must conduct their own assessment with respect to their use of Visier services.
If you have specific questions not covered in this info sheet please contact us at email@example.com.
The global privacy landscape is constantly evolving and we are committed to continuously monitor all developments and guidance from national supervisory authorities and other regulatory bodies.
We will update this info sheet from time to time to reconsider risks involved, and the measures implemented, as it relates to personal data transfers.