Privacy Shield decion of EU Court - EU users

  • 28 October 2021
  • 1 reply

“The adequacy decision on the EU-US Privacy Shield was adopted on 12 July 2016 and allowed the free transfer of data to companies certified in the US under the Privacy Shield. In its judgment of 16 July 2020 (Case C-311/18), the Court of Justice of the European Union invalidated the adequacy decision. The EU-US Privacy Shield is therefore no longer a valid mechanism to transfer personal data from the European Union to the United States.  “

How has Typeform reacted to this decision as it is no longer under the “umbrella” of the Privacy Shield? The current information on privacy points to most data being stored in the US and creates a problem for businesses and organizations in EU. 


Best answer by Gabriel 28 October 2021, 15:58

View original

1 reply

Badge +5

Hello there. Welcome to the Typeform community :wave_tone3:

We have an official release from our Legal Team regarding this matter, I hope this answers your query, please see below:


Thank you for your communication and concern about GDPR compliance. First of all, we would like to inform you that, at Typeform, we take your data privacy and security seriously, as well as compliance with the laws and GDPR.


The Court of Justice of the European Union (CJEU) issued a ruling regarding the EU-US Privacy Shield and Standard Contractual Clauses (SCCs), also known as model clauses. The CJEU ruled that the EU-US Privacy Shield is no longer valid for the transfer of personal data from the European Union (EU) to the United States (US). However, in the same ruling, the CJEU confirmed that companies can continue to use SCCs as a valid mechanism for transferring data outside of the EU.

Following this ruling, we would like to inform you that Typeform as AWS customer, can continue to use AWS as a store and processor of content from Europe to the US, in compliance with EU data protection laws – including the General Data Protection Regulation (GDPR). Typeform relies on the SCCs included in the AWS Data Processing Addendum (DPA). As the regulatory and legislative landscape evolves, we will always work to ensure that our customers and partners can continue to work with Typeform with all the security and legal guaranties.


Also, as prevention measures, we have performed a risk assessment for that particular situation and the only risk we have identified here is the NSA asking AWS for Typeform data. The only way AWS can provide that information is via the physical drives because AWS does not have access to the logical systems of Typeform and by our security policies, by default, all those hard disks where the data is stored are fully encrypted to prevent exactly that.


Any questions let us know!