Privacy and Data Processing Agreement FAQs
On May 25, 2018, the European Union’s (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) came into effect. The GDPR set guidelines for the collection and processing of personal data from individuals who reside in the EU (for more information on the GDPR, please refer to our GDPR privacy page, here: https://www.predictiveindex.com/privacy/gdpr/).
PI’s Data Processing Agreement (DPA) was developed in 2018 to meet the GDPR’s processing requirements, and to facilitate our clients’ compliance with requirements for contracts between entities involved in processing personal data.
Prior to July 2020, the two primary methods used by U.S. companies to implement adequate safeguards to import personal data from the European Economic Area (EEA) were the (1) European Commission’s Standard Contractual Clauses adopted in 2001 and 2010 under the Data Protection Directive 95/46/EC (the “Old SCCs”), and (2) the EU-US Privacy Shield.
PI’s DPA incorporated the Old SCCs and PI was also certified in the Privacy Shield; with these two methods, PI was able to import personal data from the EU/EEA.
What happened in July 2020?
On July 16, 2020, the Court of Justice of the European Union (CJEU) issued its decision in Data Protection Commissioner v. Facebook Ireland Limited and Maximillian Schrems (“Schrems II”). The CJEU invalidated the Privacy Shield, finding that it did not provide adequate protection to EU citizens, while upholding the use of SCCs for transfers of personal data to third countries.
However, the CJEU ruled that a case-by-case analysis should be performed to determine whether the SCCs should be supplemented with even more safeguards in order to ensure that data subjects would be granted a level of protection in the third country that was essentially equivalent to the protections guaranteed under EU law.
The Schrems II decision was a leading factor in the European Commission recognizing the need to update the SCCs, and it set about doing so in the fall of 2020.
What is applicable now?
On June 4, 2021, the European Commission issued a new set of clauses (the “New SCCs”), which are designed to provide adequate safeguards for the transfer of personal data to a non-EEA country, and are in alignment with the GDPR. The New SCCs must be implemented as follows:
- Starting on September 27, 2021, the new SCCs must be executed for all new data transfers (i.e. new EU/EEA clients).
- There is a transition period, until December 27, 2022, where parties (i.e. existing EU/EEA clients) may continue to rely on Old SCCs that were executed prior to September 27, 2021.
- After December 27, 2022, all data transfers must be converted to the New SCCs.
If I am in the EU/EEA, can I safely transfer my data to the US?
Yes. The New SCCs are a valid mechanism for data transfer from the EU/EEA to the U.S.
We do not collect information from children. PI assessments are not designed to be administered to anyone under the age of 18, therefore we do not solicit or collect any type of information from anyone under the age of 18.
Where can I find PI’s DPA?
You may find a pre-signed version of PI’s DPA here.
What about the UK?
As a result of Brexit, the New SCCs do not apply to data transfers from the UK. The UK Information Commissioner’s Office (“ICO”) is in the process of publishing its own SCCs (the “UK SCCs”), which will very likely include a UK Addendum to the New SCCs which would reduce the need for parties to enter into both EU SCCs and the full UK SCCs. For companies with business in both the UK and the EU who want to send personal data to the U.S., this would allow them to agree on one set of SCCs. However, this is not expected to be finalized until the very end of 2021, or early 2022.
Until then, UK companies can continue to rely upon the Old SCCs, and use PI’s old DPA. Please reach out to either your PI Partner or the PI Legal Department for this document.
Companies with both a UK and EU presence who wish to export data to the U.S. must, for now, enter into both sets of Clauses.
How does PI protect the security of my Personal Information?
However, despite all of our efforts, no security safeguards or standards are guaranteed to provide 100% security. Please protect your password information, unique PI assessment email invitation and its contents, and use caution when logging into your account from a shared or public computer.
What are “subprocessors?”
Subprocessors are third parties engaged by PI that help us provide our products and services to you, and in doing so, have access to your data. Our “Technical Subprocessors” help us with our technology infrastructure (such as our web servers and hosting providers), and our “Service Subprocessors” are members of PI Partner network (and their subcontractors) that help us provide PI services to you. A complete list of our Technical Subprocessors may be found here: https://www.predictiveindex.com/privacy/subprocessors/
How can I change, update, or delete my Personal Information?
If you are inquiring about information collected in connection with a PI assessment, please contact the company who requested that you take the assessment. PI is not a “controller” of the Personal Information of Respondents, and will pass any requests along to our Customers and will not respond to the request itself. We do not control or own assessment data and we handle it on behalf of our Customers as a data processor. We process assessment data governed by the written agreements in place with our Customers and to the extent necessary to comply with applicable law. To the extent instructed by our Customer and in accordance with our customer agreement and applicable law, we will assist a Customer in complying with Respondent data access requests by providing relevant information and support to the particular Customer to enable it to comply with the request.
Customers and Users
If you would like to have your user personal information deleted from our systems, please contact us at firstname.lastname@example.org or contact your administrator.
Pursuant to Article 27 of Europe’s General Data Protection Regulation (GDPR), Predictive Index, LLC has appointed European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by sending an email to email@example.com, using EDPO’s online request form, or writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
Wait, what if I have questions? Am I supposed to sign the DPA?
If you have any questions or concerns, shoot us an email to firstname.lastname@example.org. If you are not the authorized person to sign for your company for these types of things, please forward to your legal department or Privacy Officer.
If you have any questions, comments or complaints about this Policy or the enforcement of this Policy, or would like to request access to your Personal Data,
please contact us as follows:
The Predictive Index, LLC
101 Station Drive
Westwood, MA 02090
If you are in the EEA, you also have the right to complain to the local data protection authority (DPA) within the EEA. You can find the details of your local DPA here.
Updated January 20, 2022