As your trusted partner in cyber-resilience, Mimecast is committed to providing our customers with the best service possible. We are continuing to monitor developments and guidance issued by the authorities applicable to Mimecast as well as the negotiations toward the end of the Brexit transition period. The Brexit transition period is currently in place until 31 December 2020.
The GDPR will be retained in UK law as the UK GDPR (which also effectively includes the applied GDPR). The DPA 2018 will continue to apply (as amended by the various Data Protection Brexit Regulations). The UK regime will therefore consist of the UK GDPR and the DPA 2018 (“UK Data Privacy Laws”). Mimecast will continue to take into consideration the requirements of both the GDPR and the UK Data Privacy laws in its operations. In practice there will be little change to the core data protection principles, rights and obligations we and our customers currently comply with. Further, the technical and organizational measures that Mimecast has designed and implemented to protect the customer data entrusted to us will not change. You can find details about those measures on our Trust Center here.
Data transfers from the UK to the EEA will be unaffected. The UK will recognise all EEA member states, EU and EEA institutions, all current EU Commission Adequacy Decisions, and Gibraltar as providing an adequate level of protection for personal data, to permit data exports. At this stage, the EU Commission has not declared the UK as adequate for data transfer purposes and so, from 1 January 2021, the UK will become a third country under the GDPR. With that in mind, we are monitoring the developments in the recent guidance published by the European Data Protection Board relating to measures that supplement tools for transfers of personal data outside of the EEA.
The Standard Contractual Clauses (“SCCs”) continue to be an adequate transfer mechanism ensuring the appropriate safeguards for the transfer of personal data under applicable data protection regulations from the EU to the UK and other third countries. Under our standard DPA, Mimecast has committed to contractual obligations for the protection and transfer of personal data, including the data importer obligations of the SCCs. Please be aware that we are also monitoring developments in the new drafts of the SCCs issued by the EU Commission.
If you do not yet have a DPA in place with Mimecast, you can download a pre-signed PDF version of the DPA on our Trust Center. You simply need to arrange for signature by an authorized representative of your company and return the signed copy to your Customer Success Manager. Once the DPA is signed by your company and returned to, and receipt acknowledged by, your Customer Success Manager, it will become a legally binding agreement.
We will issue any further updates to this statement as may be needed.