LinkedIn

Twitter

GitHub

Q&A - Sisense and the GDPR

GDPR stands for the General Data Protection Regulation <a href="https://eur-lex.europa.eu/eli/reg/2016/679/oj" rel="noopener" target="_blank">(Regulation (EU) 2016/679 of the European Parliament and of the Council)</a>. The GDPR replaced the EU Data Protection Directive (<a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A31995L0046" rel="noopener" target="_blank">Directive 95/46/EC of the European Parliament and of the Council</a>) and came into effect on May 25, 2018 as the European Union’s (EU) data protection regulation. 
The main goal of the GDPR is to ensure the legal and safe processing of personal data of European individuals. It is considered as the gold standard in terms of the protection of personal data, and, it is expected, that a majority of the countries will soon adopt and be protected by modern privacy laws that are in the same vein as GDPR.

What is GDPR? 

The GDPR applies to all organizations that have establishments in the EU and to organizations that process personal data of European individuals.

Who does the GDPR apply to? 

Personal data only includes information relating to persons who: (i) can be identified directly or indirectly from the information in question; or (ii) who can be indirectly identified from that information in combination with other information. For example, personal data may include names, identification numbers, location data, online identifiers, home addresses, etc.

What is considered personal data? 

As a service provider, when processing personal data as part of our solutions and services, Sisense is a data processor and Sisense’s customers are the data controllers. Sisense could also be considered a subprocessor if it is engaged by another services provider.

Is Sisense a data processor or a data controller under the GDPR? 

GDPR - Overview 

Yes, provided that the transferring entity puts certain approved measures in place. Sisense relies, among others, on the Standard Contractual Clauses (SCC), also called Model Clauses, to safely transfer data outside of the European Economic Area (EEA). 
On July 16, 2020, the Court of Justice of the European Union (CJEU), in the decision known as “Schrems II”, ruled that the SCC can be relied on as a data transfer mechanism, subject to the data controller’s case-by-case analysis (known as a Transfer Impact Assessment).

Does GDPR allow data transfers of personal data of European individuals from the EU?

Absolutely. After the European Commission published its <a href="https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en" rel="noopener" target="_blank">new set of SCC</a> on June 4, 2021, we have updated our <a href="https://pages.sisense.com/rs/601-OXE-081/images/Data-Processing-Addendum.pdf" rel="noopener" target="_blank">standard DPA (Data Processing Addendum) form</a>. 
Our standard DPA form applies automatically to all new Sisense customers starting on September 27, 2021 (the date on which the new SCC came into effect). If you are an existing customer and wish to update your existing DPA with Sisense, please reach out to your support team at Sisense.

Does Sisense comply with the new EEA data protection laws that came into effect in 2021?

Sisense has put in place a number security measures to ensure that the personal data of European individuals remains protected outside of Europe. In addition to our compliance with the new SCC (as described above), Sisense’s standard DPA form elaborates on our commitment to confidentiality and protection of our customer’s personal data, the security measures we have put in place and our general compliance process with GDPR. You may find all this information in our standard DPA form.

How does Sisense ensure that personal data of European individuals remain protected outside of Europe?

In light of the “Schrems II” decision and the guidelines of the European regulators, Sisense has prepared a whitepaper that may assist our customers and prospects to perform their Transfer Impact Assessment (TIA) in relation to Sisense’s products and services and their data transfers to Sisense.
In this whitepaper, Sisense elaborates on commonly asked questions regarding personal data transfers to Sisense and the safeguards and “supplementary measures” implemented by Sisense in relation to such transfers.
If you want to get a copy of this whitepaper, please reach out to your support team at Sisense.

How can Sisense support you with your Transfer Impact Assessment (TIA) in relation to Sisense’s products and services?

Data Transfers under GDPR

Certainly. After the United Kingdom left the European Union, it adopted its <a href="https://www.legislation.gov.uk/ukpga/2018/16/section/3/enacted" rel="noopener" target="_blank">own version of GDPR</a> (known as UK GDPR) and its own Model Clauses (known as the UK SCC). Our standard DPA form incorporates the new UK SCC. Of course, the rest of the measures described above apply to these transfers as well.

Does Sisense also protect personal data of individuals in the UK after the Brexit?

The ‘Brexit’ and the UK GDPR

Sisense’s Privacy Team is always available to discuss privacy, data protection and our compliance with the GDPR and the UK GDPR, the new SCC and the UK SCC, and any other privacy-related question or concern. Please feel free to contact us at <a href="mailto:privacy@sisense.com" rel="noopener" target="_blank">privacy@sisense.com</a>.

Last but not least

How do I contact Sisense for privacy queries?