Our customers benefit from streamlined transactions as WatchGuard has joined the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. This allows our European Economic Area (EEA) and UK customers to freely transfer personal data to WatchGuard in the U.S.
EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF
The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (collectively “Data Privacy Framework” or “DPF”) were developed to facilitate transatlantic commerce and establish a set of requirements governing participating organizations’ use and treatment of personal data received from the EEA, the UK and Switzerland (collectively “Europe”). U.S. companies that participate in these programs are deemed to provide an adequate level of protection, a requirement for the lawful transfer of personal data outside of Europe.
You can learn more about the Data Privacy Framework and the safeguards regarding access to data transferred to the U.S. by the U.S. intelligence agencies by visiting this FAQ page on the European Commission’s website.
WatchGuard and the DPF Certification
At WatchGuard, protecting the privacy and security of our customers and partners is our top priority. Our certification to the Data Privacy Framework is an integral part of this commitment and an addition to WatchGuard’s broader data protection efforts. WatchGuard’s participation in the Data Privacy Framework means that:
- WatchGuard has certified to the U.S. Department of Commerce that it adheres to Data Privacy Framework Principles in respect to all personal data received from the EEA, the UK and Switzerland.
- Our commitment to adhere to Data Privacy Framework Principles is enforceable under U.S. law and WatchGuard is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
- If we receive personal data from the EEA in the United States and subsequently transfer that data to a third party, such third party must process the personal data in a manner consistent with the DPF Principles. WatchGuard’s certification to the DPF can be viewed here.
Benefits for WatchGuard Customers and Partners
WatchGuard’s participation in the Data Privacy Framework offers some key advantages to our partners and customers:
- No need for standard contractual clauses. Since the European Commission has recognized commercial organizations participating in the EU-U.S. Data Privacy Framework as providing adequate protection, there is no longer a need to conclude standard contractual clauses between the EU/EEA data exporter (such as one of our customers or partners) and the U.S. data importer (such as WatchGuard). Based on UK Government Regulations, the same is true for data transfers from the UK.
- No need to conduct transfer impact assessment (TIA). European companies that transfer data to the U.S. in reliance on standard contractual clauses are required to conduct transfer impact assessments. As noted in the guidance from the European Data Protection Board, transfers to U.S. companies participating in the DPF will not need to undergo the TIA process.
- Independent dispute resolution mechanism. As a DPF participant, WatchGuard has committed to refer unresolved DPF Principles-related complaints to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. This service can be accessed here and is provided free of charge to the users of our European customers and partners in case DPF Principles-related complaints are not timely resolved by WatchGuard.
Timing of These Changes
- EEA-U.S. Transfers: WatchGuard started receiving personal data from the EU/EEA in reliance on the EU-U.S. DPF effective October 10, 2023.
- UK-U.S. Transfers: WatchGuard started receiving personal data from the United Kingdom and Gibraltar in reliance on the UK Extension to the EU-U.S. DPF effective October 12, 2023.
- Swiss-U.S. Transfers: Even though the effective date of the Swiss-U.S. DPF is July 17, 2023, and WatchGuard is certified to this program, personal data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date of entry into force of Switzerland’s recognition of adequacy for the Swiss-U.S. DPF. Until then, WatchGuard will continue relying on standard contractual clauses as a lawful mechanism to transfer personal data from Switzerland to the U.S. As soon as Switzerland recognizes adequacy of the Swiss-U.S. DPF, WatchGuard will automatically start relying on the DPF to lawfully receive personal data from Switzerland in the United States as reflected in our Data Processing Agreement.
Effective October 10, 2023, WatchGuard’s Data Processing Agreement has been updated to account for these changes and will apply to our customers and partners automatically. If you would like to obtain an executed copy of our updated DPA, please reach out to [email protected].
What about regions or scenarios where the DPF does not apply?
If the DPF is invalidated or cannot be relied upon for any other reason, the Data Transfer Addendum in Annex 2 of our Data Processing Agreement will apply and standard contractual clauses will automatically replace the DPF as a data transfer mechanism.
If you have any questions about WatchGuard’s participation in the DPF, please reach out to [email protected].