Logo - Full (Color)
Skip to content

Legal Stuff

Talk legal to me

EU-US Data Privacy Framework | 2023 Adequacy Decision 

What the July 10, 2023, DPF means for HubSpot Customers and Partners. 

The European Commission adopted its adequacy decision for the new EU-U.S. Data Privacy Framework (the “EU-U.S. DPF”). Read more below to learn about the EU-U.S. DPF and its impact on customers and partners.

 

This page is provided for information purposes only and is not included as part of the HubSpot Customer Terms of Service. It is not intended to provide legal advice, and HubSpot encourages our customers to consult with their own lawyers to understand the legal obligations applicable to their business. The information here is subject to change. 

 

 

What happened:

On July 10, 2023, the EU Commission adopted its adequacy decision for the EU-U.S. DPF. A link to the adequacy decision can be found here.  Adequacy decisions allow the free flow of personal data from the EU to the country in question without additional safeguards or contractual agreements. For companies that sign up and comply with the EU-U.S. DPF, the EU has confirmed that the United States now provides an adequate level of protection for personal data, allowing safe and trusted data flows between the U.S. and EU.  The adequacy decision supports President Joe Biden’s October 2022 Executive Order limiting access to EU data by U.S. intelligence services and establishing a Data Protection Review Court.  A link to the Executive Order can be found here. The Executive Order and the adequacy decision reflect the commitment of both the U.S. and EU to protect personal data.

What this means for HubSpot:

HubSpot is excited about the long-awaited adequacy decision.  The HubSpot, Inc. certification can be viewed on the website of the Data Privacy Framework Program available here.  

What this means for Customers:

Customers can use HubSpot under i) the EU-U.S. DPF or ii) the Standard Contractual Clauses as the transfer mechanism where applicable (for example, from Switzerland or the UK) under our Customer Terms of Service ("TOS"), which incorporates our Data Processing Agreement or ("DPA").

 

 

European Commission Resources:

European Commission Questions & Answers: EU-U.S. DPF

European Commission Press Release on the Adequacy Decision

European Commission Press Release on the Adequacy Decision (PDF)

 

FAQs:

How does the adequacy decision impact international data transfers? 
Adequacy decisions enable the processing and transferring of personal data to a third country or an international organization without the need for additional safeguards or contractual commitments. The adequacy decision concludes that the U.S. ensures an adequate level of protection for personal data transferred from the EU to U.S. companies participating in the framework. This decision supports international data transfers, which is great news for HubSpot customers. 


What is the EU-U.S. Privacy Framework and How does it relate to the Privacy Shield? 
As discussed, the EU-US Privacy Framework (the “EU-U.S. DPF”) is an Executive Order signed by President Biden. The EU Commission granted its adequacy decision based on the new EU-U.S. Data Privacy Framework Principles. As a result, the EU-U.S. Data Privacy Framework replaces its predecessors, the “Safe Harbor” and the “Privacy Shield,” which were previously invalidated by the Court of Justice of the EU (CJEU) in the cases known as “Schrems I” and “Schrems II."


How does the adequacy decision affect HubSpot? 

HubSpot is certified under the EU-U.S. DPF, as reflected in our September 1, 2023, updates to our TOS and DPA.  You can learn more about these updates to our documents in this Community Post


Which transfer mechanism is HubSpot currently using? 

HubSpot is certified under the EU-U.S. DPF and will rely on the EU-U.S. DPF for transfers of data between the EU and the U.S. Additionally, HubSpot will continue to rely on the SCCs for cross-border data transfers to inadequate countries. We have updated our our TOS and DPA to reflect the EU-U.S. DPF.  You can learn more about the updates to these documents in this Community Post

Will customers' data be protected? 
Yes. HubSpot will maintain its level of trust and security to guard its customers' data. All personal data is protected using the same physical, technical and organizational measures as set forth in Annex 2 of our DPA.  Additional information is available on our Trust Center.

Do HubSpot customers or partners need to do anything to ensure compliance with the new Framework?
No. Current customers and partners do not need to take any action based on the EU-U.S. DPF.  HubSpot is certified under the EU-U.S. DPF and will rely on the EU-U.S. DPF for transfers of data between the EU and the U.S. Additionally, HubSpot will continue to rely on the SCCs for cross-border data transfers to inadequate countries. We have updated our our TOS and DPA to reflect the EU-U.S. DPF.  You can learn more about the updates to customer documents in this Community Post

HubSpot updated its Business Partner Data Processing Agreement based on the EU-U.S. DPF.  You can read more about the updates to the Business Partner Data Processing Agreement in this Community Post.  


What does this mean for UK customers?

On September 26, 2023, HubSpot certified the UK extension to the EU-U.S. DPF, and on October 12, 2023, the UK adopted its own DPF adequacy regulations.  HubSpot relies on the UK extension to the EU-U.S. DPF for transfers of data between the UK and the U.S. Additionally, HubSpot will continue to incorporate the SCCs for cross-border data transfers as an alternative mechanism. 


What does this mean for Swiss customers?
On July 17, 2023, the Swiss-U.S. DPF went into effect with an automatic transition for those that were previously Swiss-US Privacy Shield certified. Similar to the UK, Swiss-US transfers under the DPF will not start until Switzerland grants the DPF adequacy recognition.