Data Transfer Impact Assessment (DTIA)

This Data Transfer Impact Assessment (“DTIA”) assists our customers in conducting a risk assessment for the transfer of personal data in regards to Bird Labs GmbH’s products, including support and services (together, “Services”). The usage of these Services requires processing of personal data by Bird Labs GmbH (further referred to as “Company”), and its sub-processors. The “Schrems II” ruling of the Court of Justice for the European Union resulted in recommendations from the European Data Protection Board. This DTIA supplements the information necessary for compliance with data transfer provisions under the European Data Protection Law as defined in our Data Processing Addendum (DPA).

The Company only stores personal data in data centers located in the EU, but relies on sub-processors (listed in the aforementioned DPA). Some of these sub-processors, without which the Company cannot deliver its services, process data in other countries.

Under the European Data Protection Laws, personal data may not be transferred outside of Europe, unless: 

• (i) the importing country has been deemed adequate by the relevant governmental body; or:
• (ii) the data exporter has appropriate safeguards in place to ensure that personal data transferred is subject to an adequate level of protection. Those safeguards are referred to as “transfer mechanisms.”
  

1. Scope of the Data Transfer Impact Assessment

This DTIA covers direct and onward data transfers in connection with the Company providing its Services. The processing activities (incl. transfers) are outlined in the Company’s DPA.

These processing activities result in personal data being processed in jurisdictions outside of Europe, to countries holding adequacy status under the European Data Protection Laws, namely the United States.

2. Data processing in the United States

Commercial organizations in the United States offer an adequate level of data protection under European Data Protection Laws if they participate in the Data Privacy Framework. Hence, personal data can flow from the EU (and Norway, Liechtenstein, and Iceland), UK, and Switzerland to organizations with jurisdiction in the United States without the necessity of additional transfer impact assessments or additional safeguards. Transfers are treated like data transfers within Europe.

Most of the Company’s sub-processors (as listed in the DPA) participate in the Data Privacy Framework.

For the remaining sub-processors, we continue to rely on the Standard Contractual Clauses (SCCs) as a transfer mechanism. The EU Commission confirmed in its FAQs that all safeguards that have been put in place by the US Government in the area of national security (including the redress mechanism) apply to all data transfers under the GDPR to companies in the US regardless of the transfer mechanism used. These safeguards therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules.