EU Data Protection FAQs

What is the EU Data Protection Directive?

The EU Data Protection Directive (also known as Directive 95/46/EC) is the European Union Directive that regulates the processing and movement of personal data within the European Union. The Directive sets out a number of requirements to protect personal data when it is subject to transatlantic transfer, or any subsequent processing that takes place outside of the EU.

What is the EU-US Safe Harbor Framework?

The EU-US Safe Harbor Framework was established by the European Commission and the U.S. Department of Commerce in 2000 to facilitate transfers of personal data from the EU to eligible U.S. companies that comply with the Safe Harbor principles. It allowed for companies to self-certify themselves as compliant and move data from the EU to be stored or processed in the US.

What is the European Court of Justice Decision on the Safe Harbor Framework?

On October 6, 2015, the European Court of Justice determined that the EU-US Safe Harbor Framework does not provide a valid legal basis for transfers of personal data from Europe to the U.S. This decision has raised a lot of questions and concerns for organizations that process personal data from Europe. More information about the decision is available here.

What will take its place: The EU-US Privacy Shield

In a press release issued by the EU Commission on 2 February 2016, they announced that the EU-US Privacy Shield had been agreed. The framework for the new Privacy Shield will be built upon the following three elements:

  • Strong obligations on companies handling personal data from the EU and robust enforcement.
  • Clear safeguards and transparency obligations on U.S government access.
  • Effective protection of EU citizens’ rights with several redress possibilities.

Over the following weeks, an ‘adequacy decision’ will be drafted. This ‘will establish that a non-EU country ensures an adequate level of protection of personal data by reason of its domestic law and international commitments’. Meanwhile, the US will make the necessary preparations to implement the new framework. The European Commission released an FAQ Fact Sheet, which addresses many of the questions that both organisations and individuals might have.
In concrete terms, the Privacy Shield will require that American companies register to be on the Privacy Shield list and self-certify that they meet the requirements, this process has to be undertaken annually. The US Department of Commerce will monitor and actively verify that companies' privacy policies are presented in line with the relevant principles and are readily available.
It is likely that it will take a few months for the Privacy Shield to be put in place, and it remains unclear how each Data Protection Authority will judge its suitability. In the meantime, as always, it is of the utmost importance that all companies who regularly handle or process personal data ensure that they remain aware of all developments and stay compliant with any changes to the law, in order to provide the best possible protection for all personal data.

What does this mean for Cogmotive customers?

The court's decision does not prohibit data transfers to entities in the US, but instead requires that another method of compliance with EU data protection laws be used. To that end, Cogmotive is pleased to offer our customers two options, both of which are compliant with our EU Data Protection obligations:

  1. Cogmotive uses sub-processors from third countries outside the EU to deliver our reporting applications. In doing so, we ensure that our third party service providers offer an equivalent level of protection for customer data to if that data remained in the EU, in compliance with Data Protection requirements.
  2. For those customers who prefer that their data remain in the EU where possible, we have now established infrastructure that allows us to host the reporting data we collect from Microsoft in the EU region. For more information about this contact us at privacy@cogmotive.com.

Where is Cogmotive customers' reporting data stored?

Cogmotive uses Amazon Web Services (AWS) as our data storage supplier, with most customer data stored in the US by default. Certain subscriptions are also eligible for EU data hosting if requested.
More information on AWS compliance with EU Data Protection requirements is available here.

Does Cogmotive offer EU Data Hosting?

There are two main reason why Cogmotive cannot restrict all data transfers from Europe. We provide Support Services with all product subscriptions, and this relies on third parties that do not offer regional hosting. Furthermore, the concept of "transfer" under data protection laws is broadly interpreted to include many activities that Cogmotive may undertake as a data processor. However, Cogmotive employs state of the art security measures to protect your data, and our terms of service clearly outline our obligations to ensure that any data transfers out of Europe is done in strict compliance with data protection laws.
Cogmotive customers with certain subscription types who are located in the EU/EEA can request that their reporting data be hosted in the EU. For more information on whether you are eligible and what data is available to be hosted in the EU contact us at privacy@cogmotive.com.

Return to Top