This document provides information to help our customers conduct data transfer impact assessments in connection with their use of Alludo products, in light of the “Schrems II” ruling of the Court of Justice for the European Union (CJEU, ruling of July 16, 2020 - C-311/18) and the recommendations from the European Data Protection Board.
All capitalized terms like “Personal Data,” “Process/Processing,” “Controller,” “Processor,” etc. shall have the meaning set forth in our DPA.
Where we process Personal Data on behalf of our customers as a Data Processor, we comply with our obligations as described in our Data Processing Addendum (“DPA”) available here. The DPA provides the following information:
The type of Processing performed by Alludo as the Data Processor in relation to its customers is for product registration, order management, and product usage purposes. Customers can also initiate Data Processing by voluntarily asking for support services from Alludo.
The types of Personal Data processed by us under our DPA include registration information, which may include contact data (name, title, company address, phone number, email address), as well as usage data indicating details of the use of our products and services. Customers may also voluntarily submit support requests to Alludo, which may or may not contain Personal Data.
The Data Subjects are our customers, which includes the customer’s employees and other natural persons whom the customer allows to use the Services.
The customer Personal Data processed by Alludo is of a limited scope, is purely of a commercial nature, and does not contain any sensitive data.
Customers can to a large extent control and further limit the scope of Personal Data processed, for example, by using more generic corporate email addresses for product registrations and support requests.
Depending on which of our products the customer uses, the following Alludo Group companies would be acting as Data Processor:
Parallels International GmbH in Switzerland, for software that is branded “Parallels”;
Awingu NV in Belgium, for software that is branded “Awingu” and Corel Corporation in Canada, for all other of our software brands.
As the Data Processor, Corel Corporation is domiciled in Canada. As per decision 2002/2/EC of the EU Commission, Canada is deemed to provide an adequate level of data protection regarding commercial organizations such as Corel Corporation.
Parallels International GmbH, as the Data Processor, is domiciled in Switzerland. As per decision 2000/518/EC of the EU Commission, Switzerland is deemed to provide an adequate level of data protection regarding commercial organizations such as Parallels International GmbH.
Awingu NV is domiciled in Belgium, EU.
We may transfer customer Personal Data wherever we or our third-party service providers (sub-processors) operate for the purpose of providing you the Services. The locations will depend on the particular Products and Services that you use, as outlined in our product specific list of sub-processors.
A list of all of our data sub-processors is available here: https://www.alludo.com/en/legal/sub-processors/.
Where Personal Data originating from EEA, UK, or Switzerland is transferred to Alludo, Alludo relies on adequacy decisions for Canada and Switzerland to provide an appropriate safeguard for the transfer.
Where customer Personal Data originating from EEA, UK, or Switzerland is transferred between Alludo group companies we have an intercompany data transfer agreement in place which has been updated to reflect the new Standard Contractual Clauses.
The transfers of customer Personal Data to sub-processors established in third countries outside the EEA, UK, or Switzerland, or the processing of Personal Data in such third countries, is governed by the new Standard Contractual Clauses.
As noted above, Alludo relies on Standard Contractual Clauses to transfer Personal Data internationally. Alludo will continue to use Standard Contractual Clauses (SCCs), which remain valid under the recent Schrems II decision by the CJEU, as a legal mechanism for transferring Personal Data of its customers from the EEA, UK, or Switzerland to our affiliated entities and sub-processors in the U.S. or other applicable jurisdictions. Our Data Processing Agreement (DPA) incorporates the Standard Contractual Clauses which have been adopted by the EU Commission. Sub-processors used by Alludo have undergone a risk assessment to review compliance with the Schrems II requirements.
Alludo continues to monitor the progress of the U.S Government and the European Commission in establishing a new Data Privacy Framework to replace the Privacy Shield. General information on the legal framework and the applicable privacy and data security standards in the U.S. can be found in a whitepaper from September 2020 published by the U.S. government in the wake of Schrems-II U.S. Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II.
The latest developments in the EU-US Data Privacy Framework can be followed on the European Commissions website: https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045
The Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities which was signed on Oct. 7 2022 by President Biden can be found here: https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/
We provide the following technical measures to secure customer data:
Our contractual measures are set out in our DPA. For transfers to sub-processors in third countries we rely on the SCCs. In particular, we are subject to the following requirements:
Our organizational measures to secure customer data include:
We have implemented the additional supplementary measures outlined in the section above to reduce the risks in connection with the transfer of Personal Data of our customers to third countries. It is always recommended that each customer does its own risk assessment, based on the specifics of that customer’s business. Based on your particular business, you may choose to implement measures in addition to those laid out in this document We are committed to providing and continuing to advance technical, legal, and organizational safeguards so that Alludo can carry out cross border data transfers in a way that protects your data from being accessed by third parties.
We will review and, if necessary, reconsider the risks involved and the measures we have implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.
For all privacy related questions please contact firstname.lastname@example.org