This Transfer Impact Assessment, conducted in light of the “Schrems II” ruling of the Court of Justice for the European Union, provides Planful’s customers with the necessary information to conduct their own data transfer impact assessments.
Planful transfers data outside of Europe in order to provide the Planful services to our customers. This document describes the safeguards Planful has in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (“Europe”), and Planful’s ability to comply with its obligations as “data importer” under the Standard Contractual Clauses (“SCCs”).
Planful complies with its obligations as a Data Importer under its Data Processing Addendum (“DPA”). The Planful DPA incorporates the SCCs and provides descriptions of Planful’s processing of the personal data (Appendix 1) and a description of Planful’s security measures (Appendix 2).
A list of our data sub-processors and the ability to sign up to receive updates to our sub-processor list can be found here.
Where personal data originates from Europe, Planful utilizes the European Commission’s SCCs to provide for an appropriate safeguard for transfer. These are included in our DPA.
Where personal data originating from Europe is transferred between Planful and third party sub-processors, Planful executes SCCs with those sub-processors.
U.S. Surveillance LawsThe Court of Justice identified FISA Section 702 (“FISA 702”) and Executive Order 12333 (“EO 12333”) as potential hindrances in accomplishing the same level of protection for personal data in the United States. More information about these laws and other U.S. Surveillance Laws can be found in Information on U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S. Data Transfers after Schrems II whitepaper from the United States Department of Commerce.
Is Planful subject to FISA 702 or EO 12333?As a SaaS technology provider, Planful could be subject to FISA 702. However, Planful does not process personal data which is likely to be of interest to U.S. intelligence agencies. Planful is also unlikely to be subject to upstream FISA 702 orders as we only carry traffic related to our own customers, and do not provide internet backbone services (i.e. telecommunication providers). Additionally, EO 12333 does not contain authorization to compel private companies (such as Planful) to disclose data.
Technical Measures Planful’s technical measures to protect customer data include:
Organizational Measures Planful’s organizational measures to protect customer data include:
Contractual Measures Planful’s contractual measures are set forth in the DPA and SCCs, which subject us to the requirements below:
Given the information discussed in this Transfer Impact Assessment, including the technical, organizational, and contractual measures Planful undertakes to protect customer personal data, Planful does not consider the risks involved in transferring and processing European personal data in/to the US and India to inhibit our ability to comply with our obligations under the SCCs as the data importer or to ensure that individuals’ rights remain protected. As such, no additional supplementary measures are currently required.
Planful will review and, as necessary, re-evaluate the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
Purpose of Transfer and any further Processing
Frequency of Transfer
Categories of Personal Data Transferred
Sensitive Data Transfer We do not intentionally transfer any sensitive personal data. We expressly prohibit processing of sensitive personal data in our software.
Technical, Organizational, and Contractual Obligations Information regarding technical, organizational, and contractual obligations is provided in the corresponding sections above.
Law Enforcement Requests Should Planful receive any requests for access from law enforcement, we will notify the customer to the extent lawfully permitted. If we are not permitted to disclose the request to the customer, we will challenge the request and seek to obtain a waiver. Planful will also review and challenge the legality of the requests and not provide access to the data is the request is considered unlawful. We require the same of our sub-processors.
Length of Processing Chain
Applicable Transfer MechanismsWe use Standard Contractual Clauses for onward transfers to our sub-processors.
Purpose of Transfer and any further Processing
Frequency of Transfer
Categories of Personal Data Transferred
Sensitive Data TransferWe do not intentionally transfer any sensitive personal data. We expressly prohibit processing of sensitive data in our software.
Technical, Organizational, and Contractual ObligationsInformation regarding technical, organizational, and contractual obligations is provided in the corresponding sections above.
Law Enforcement RequestsShould Planful receive any requests for access from law enforcement, we will notify the customer to the extent lawfully permitted. If we are not permitted to disclose the request to the customer, we will challenge the request and seek to obtain a waiver. Planful will also review and challenge the legality of the requests and not provide access to the data if the request is considered unlawful. We require the same of our sub-processors.
Length of Processing Chain
Applicable Transfer MechanismsWe use Standard Contractual Clauses for onward transfers to our sub-processors.