The 2021 SCCs account for the judgment of the Court of Justice of the European Union in the Schrems II case and confirm that international data flows under the General Data Protection Regulation (GDPR) can continue to be based on the 2021 SCCs where appropriate technical and organizational safeguards have been implemented to legitimize the transfer.
In our new Data Processing Addendum (DPA), we have incorporated the 2021 SCCs into our contracts, along with commitments around enhanced audit rights and strengthened government access commitments, which will help our global customers with compliance requirements for safe data transfers.
What are Slack’s technical and organizational safeguards in response to Schrems II?
Following the Schrems II ruling, companies transferring E.U. personal data to non-E.U. countries, such as the United States, must conduct case-by-case assessments to identify any necessary supplemental measures to protect the personal data being transferred. Slack assists our customers in performing Transfer Impact Assessments, which include reference to the implementation of “relevant contractual, technical or organisational safeguards” to supplement protections under the 2021 SCCs where necessary.
At Slack we deploy extensive safeguards to protect customer data, which apply to all plan levels. As outlined in our security whitepaper and security practices, our security approach focuses on governance, risk management and compliance. This includes encryption at rest and in transit, network security and server hardening, administrative access control, system monitoring, logging and alerting, and more.
As part of our commitment to trust and transparency, our Data Request Policy outlines Slack’s policies and procedures for responding to requests from government and law enforcement entities. This policy guides our practices with respect to requests for third-party data, requests by legal authorities, customer notice and international requests for data. Slack only provides data in response to legally binding, jurisdictionally appropriate and valid legal processes. In addition, a legal process must be jurisdictionally appropriate to the data sought, including data stored through Slack’s data residency feature.
Our annual Transparency Report details requests for data that we’ve received, including those from law enforcement and government entities. As further explained in Slack’s Data Request Overview, Slack does not and cannot be ordered to take any action to facilitate bulk surveillance as contemplated in Executive Order 12333, nor is Slack eligible to receive a request under FISA § 702 for upstream surveillance (the type of order principally addressed in, and deemed problematic by, the Schrems II decision).
For more information on Slack’s privacy program generally and our commitment to protecting the security and privacy of your data, please visit our Trust Center.
How can customers sign Slack’s new DPA or implement the 2021 SCCs into their existing agreements?
Customers who want to update their current DPA to implement the 2021 SCCs or who are entering into a DPA for the first time can sign the new DPA here. For existing customers, this new DPA will replace their current DPA entirely and allow customers to rely on the 2021 SCCs and enhanced rights mentioned above.
We are committed to ensuring that our customers’ data can continue to flow freely between the E.U. and the U.S., and we will continue to partner with regulators, industry groups and similarly situated SaaS companies to make sure our customers’ needs are met. If you have any questions, please reach out to firstname.lastname@example.org.