Standard Contractual Clauses Update
This webpage contains important information about Qualtrics’ Data Processing Agreement and the Standard Contractual Clauses.
Qualtrics protects the rights of individuals whose data we process. We strive to continuously strengthen our reputation as a trusted and reliable business partner in the market. While Qualtrics provides technology that enables our customers to be compliant with a variety of privacy laws, Qualtrics’ customers should seek their own legal advice as to how to comply with privacy laws.
What are the Standard Contractual Clauses?
Transfers of personal data from the European Union (EU) to countries outside the EU are regulated by the General Data Protection Regulation (GDPR), which requires that any personal information transferred outside the EU be given an “adequate level of protection.” Some countries have obtained an “adequacy” finding from the European Commission. Without an adequacy finding, companies that transfer personal data to such third countries are required to implement other means to legitimize the transfer of personal data. One commonly used way to do so is for the parties engaging in such transfers to enter into the “standard contractual clauses” (“SCCs”). The use of standard contractual clauses is not new, but the previous iteration of the clauses was adopted over ten years ago under the previous EU Data Protection Directive 95/46. Given changes in the law and in how parties transact, a new set of standard contractual clauses was published on 7 June 2021, in Commission Decision 2021/914/EU (New SCCs). The New SCCs will replace the previous set of standard contractual clauses.
Does Qualtrics use the SCCs?
Yes, the New SCCs are entered into by Qualtrics and its customers as part of the overall Terms of Service and/or General Terms and Conditions for Cloud Services (GTC). The GTCs include a Data Processing Agreement (DPA), and the SCCs are appended to that DPA.
Why were the SCCs updated?
In June 2021, the European Commission adopted “new” modernized SCCs (“New SCCs”) to replace the “old” SCCs and required that all companies who transfer personal data to third countries update their contacts to reflect the New SCCs.
There have been two main reasons why an update to the existing Standard Contractual Clauses was needed: (i) the adoption of the GDPR in May 2018 and (ii) the Court of Justice of the European Union’s (“CJEU”) judgment in Data Protection Commissioner v. Facebook Ireland Limited, Maximillian Schrems (C-311/18) (“Schrems II”). In particular, with the arrival of the GDPR, there was a clear need to update the prior SCCs, which were designed for a pre-GDPR era and hence lacked some of the protections that GDPR requires. Moreover, the CJEU’s ruling in “Schrems II” introduced additional requirements to the existing SCCs as a data transfer mechanism, which made the adoption of updated SCCs mandatory.
What are the key dates and deadlines, and why is Qualtrics making these updates now?
Companies were required to update all new contracts to reflect the New SCCs by 27th September 2021. Qualtrics completed this effort, updating all new contract templates to include the New SCCs within the required timeframe.
Companies are also required to update all existing customer agreements, entered into prior to 27th September 2021, to include the New SCCs by no later than 27th December 2022. We are currently in the process of making these required updates, and this is why you have received a communication from Qualtrics.
How will Qualtrics put the new SCCs in place with customers?
Our approach to implementing the New SCCs will depend on the existing contract you have with us. We will either issue an amendment to your existing Data Processing Agreement (“DPA”) or we will send a new DPA.
Why are the SCCs required?
Qualtrics provides a self-service platform whereby customers may use the services to collect and process personal data. Qualtrics acts as a data processor on behalf of its customer, which acts as a data controller. GDPR requires that a data processing agreement be entered into between a data controller and data processor where processing of personal data occurs. Due to the nature of our services, international transfers to third countries which are not deemed to provide an adequate level of data protection will occur when using the Qualtrics Cloud Services, therefore the SCCs are required to ensure an adequate level of data protection when such data transfers are occurring.
Do all customers need to update their contracts to incorporate the new SCCs?
Yes. Given the self-service nature of the Cloud Service, customers will solely determine what data to collect, from whom, and for what purpose. As customers may be collecting personal data using the Cloud Service, which may be subject to the requirements of GDPR or other data protection laws requiring an adequate transfer mechanism to be implemented for transfers of personal data internationally, Qualtrics needs to ensure that appropriate contracts are in place to ensure compliance with applicable data protection laws.
I do not intend to collect personal data using the Cloud Services. Do I still need a DPA?
Yes. Because a customer solely determines what data to collect, from whom and what purposes, you may decide to change how you are using the services during your subscription term. In the event you start to collect personal data, both you and Qualtrics will be required to have a DPA in place.
What if my company is not subject to GDPR and I do not believe I should be required to sign a DPA or the SCCs?
Qualtrics’ DPA is neither GDPR-specific nor specific to any other data protection law. Our definition of “Data Protection Laws” as defined in the DPA includes “the applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Personal Data under the Agreement”. This is the DPA we use globally for all customers. You’ll see that the clauses listed in the DPA are not tied specifically to a country or a specific law, but instead to the obligations that we comply with when processing the personal data you process using our services.
By entering into a DPA with Qualtrics, GDPR is not imposed on customers where it would not otherwise apply. Although a customer’s current use of the Cloud Service may not be subject to GDPR, a customer may change the way they use the Cloud Service at any time during the license term without Qualtrics’ knowledge, which is why we require a DPA and SCCs to be in place in the event customer’s use falls within the scope of GDPR.It is worth noting that the majority of the obligations in the DPA are Qualtrics-specific obligations, but under certain data protection laws, both Qualtrics and the customer are responsible for ensuring the DPA is in place.
What is the structure of the new Standard Contractual Clauses?
The New SCCs contain a modular set of clauses for four scenarios:
- Controller-to-controller transfers (Module 1)
- Controller-to-processor transfers (Module 2)
- Processor-to-processor transfers (Module 3)
- Processor-to-controller transfers (Module 4)
Qualtrics only relies on Modules 2 and 3 in our customer-facing contracts, as Modules 1 and 4 would only apply if Qualtrics acts as a data controller–which is never the case with respect to the Cloud Services (Qualtrics is only a data processor). Therefore, Modules 1 and 4 are not applicable.
What are the annexes of the new Standard Contractual Clauses about?
The New SCCs include three annexes:
- Annex I – Description of the transfers: Including the description of the parties, a description of the transfers, and a description of the competent supervisory authority.
- Annex II – Security measures: Including the technical and organizational security measures implemented to protect the transferred data.
- Annex III – Sub-processors: Annex III sets out a sub-processor list and is intended for use where the data importer must receive specific authorization from the data exporter to appoint sub-processors. Where the data importer is instead given a general authorization to engage sub-processors (subject to prior notice and objection requirements), this annex does not apply. Qualtrics is implementing the general authorization concept and its subprocessor list is available at www.qualtrics.com/subprocessor-list.
Is it necessary to update my signed agreement with Qualtrics to comply with the new Standard Contractual Clauses?
If Qualtrics has sent you an amendment to your existing agreement to incorporate the New Standard Contractual Clauses, please click here to sign the amendment. Otherwise the update to the SCCs will be deemed accepted by you within 14 days of the communication.
If Qualtrics has sent you a new DPA, please sign the document you received by email, or alternatively, click here to sign the new DPA.
If you have already amended your contract to include the New SCCs since 27th September 2021, please disregard the email you have received.
Who can I contact for more information?
Please reach out to your Account Executive or Customer Success Manager.
If you have already amended your contracts to include the SCCS since 27th September 2021, please submit this form.