Twilio has updated our Data Protection Addendum (DPA) to include the new EU Standard Contractual Clauses (SCCs). This guide contains answers to common questions about this change.
Why is Twilio updating the Data Protection Addendum (DPA)?
We updated the DPA primarily to account for and incorporate the new Standard Contractual Clauses (SCCs) that the European Commission published on June 4, 2021 to address data transfers originating from the European Economic Area (EEA).
These new SCCs are meant to better align with the regulatory requirements of the General Data Protection Regulation (GDPR), and to address issues highlighted in recent legal decisions such as Schrems II. We also took this opportunity to revise and reformat our DPA to make it easier to read and understand for all Twilio and SendGrid customers. In other words, if you are a customer that does not engage in data transfers from the EEA to the US, the changes are mostly non-substantive.
These “new” modernized SCCs replace the 2001, 2004 and 2010 SCCs currently in use.
Does this impact me as a customer?
The updates to the DPA to incorporate the SCCs are only applicable to customers who use Twilio to process EEA personal data. However, we have also revised the DPA to make it easier to read and understand for all Twilio and SendGrid customers.
What do I need to do?
For those customers subject to our online DPA, no action is required. The updated DPA will automatically become part of your agreement with us effective September 27, 2021.
If you have negotiated a separate DPA with Twilio, which includes the prior version of the SCCs, those SCCs will remain in place and effective until December 27, 2022. If you would like to update them prior to Dec 27, 2022, please reach out to your Twilio Account Executive. We are happy to accommodate any requests to update to the new DPA at any point before or at your next renewal.
Are you making other changes to your DPA?
In addition to integrating the new SCCs, we have revised parts of the DPA to make it easier to read and understand for all of our global customers. Aside from these updates, however, we made no substantive changes.
When is the updated DPA effective?
The updated DPA will be automatically effective on September 27, 2021, for all Twilio and SendGrid customers that have agreed to the terms of our Online DPA. New transfers (i.e. new contracts) made after September 27, 2021, must use the new SSCs because the prior versions of the SCCs are repealed effective as of this date.
If you have negotiated a separate DPA with Twilio, which includes the prior version of the SCCs, those SCCs will remain in place and effective until December 27, 2022. If you would like to update them prior to Dec 27, 2022, please reach out to your Twilio Account Executive. We are happy to accommodate any requests to update to the new DPA at any point before or at your next renewal.
I have negotiated the terms of my DPA directly with Twilio/SendGrid (i.e., I am not subject to the standard online DPA terms). Do I need to update my DPA to account for new SCCs and when?
Yes, but there is a grace period. If you have negotiated a separate DPA with Twilio that includes the prior EU-approved version of the SCCs, those SCCs will remain in place and effective until December 27, 2022. If you would like to update them prior to Dec 27, 2022, please reach out to your Twilio Account Executive. We are happy to accommodate any requests to update to the new DPA at any point before or at your next renewal.
What changes do the EU’s new SCCs contain?
The European Commission updated the SCCs to address more complex processing activities that exist in today’s world, the requirements of the GDPR, and the Schrems II decision, including requirements to apply additional transparency and notification controls covering government access requests, and to carry out and document an assessment of the laws of the third country to confirm that the local law in the importing country does not prevent Twilio’s compliance with the terms in the SCCs.
The new SCCs are also modular so they can be tailored to the type of transfer. The prior version of the SCCs applied only to controller-controller and controller-processor transfers of personal data from the EU to countries without an adequacy decision by the European Commission. The updated clauses are expanded to also include processor-processor and processor-controller transfers.
When are SCCs applicable to me as a customer?
Twilio has established and implemented a set of Binding Corporate Rules (“BCRs”) for internal transfers of personal information between Twilio group companies in the European Union and Twilio group companies elsewhere. Twilio’s BCRs have been approved by European Union Data Protection Authorities and are a commitment by Twilio to adequately protect personal information that Twilio processes regardless of where the information resides.
Where Twilio’s BCRs do not apply, including to cross-border data transfers of the SendGrid services, we rely instead on SCCs to transfer personal information outside the EEA, UK and Switzerland. However, even where SendGrid services are not covered by our BCRs, and in all cases in which we process personal data, we are committed to providing a high level of data protection for all our customers.
Do the new SSCs apply to transfers of personal data from the UK to the US?
No. The original SCCs, not the new EU SCCs, were adopted by the ICO after Brexit, and will continue to apply to transfers of personal data from the UK to the US until the UK recognizes the European Commission’s new SCCs or adopts its own version. For more information about UK data transfers, please view the ICO website on SCCs and data transfers. Upon both (a) formal adoption and approval by the UK Information Commissioner of new SCC terms, and (b) written notice from Twilio to the Customer, Twilio will amend the DPA (in the manner most appropriate and as permitted under the Agreement) to incorporate UK specific SCC terms and conditions.