As your trusted partner in cyber-resilience, Mimecast is aware of the recent decision by the Court of Justice of the European Union (“CJEU”) regarding its invalidation of Decision 2016/1250 on the adequacy of the protection provided by the EU-U.S. Privacy Shield Framework for the transfer of personal data outside of the European Economic Area (“EEA”) to the United States.
If you have executed our Mimecast’s Data Processing Agreement (the “DPA”), please note that the Transfer Section mandates that any transfers of personal data from the EEA to third countries (e.g., the US) take place pursuant to either the data importer obligations under the Standard Contractual Clauses (the “SCCs”) (which are incorporated by reference into the DPA) or the Privacy Shield Framework. In its recent decision, the CJEU has affirmed that Decision 2010/87 regarding the SCCs remains a valid transfer mechanism. Further, the Mimecast Group has executed an Intercompany Agreement that incorporates the SCCs, ensuring that the transfer of data between Mimecast affiliates remains in accordance with the requirements of the GDPR. A copy of the Intercompany Agreement can be found here.
We place contractual obligations on all subprocessors to have appropriate safeguards in place for the transfer of personal data. We are in the process of reviewing our vendor relationships and taking all necessary steps to ensure that appropriate transfer mechanisms are in place.
If you do not have a DPA in place with Mimecast and would like to do so, please visit our Trust Center and download a pre-signed copy. Once signed by an authorized representative of your organization, please return it to your Customer Success Representative.
The processing or transfer of personal data during Mimecast’s provision of Services to you, including our 24/7 follow-the-sun support model, continues under the same standards of protection afforded by our technical and organizational measures. Details of those measures, our various attestations and independent certifications, along with other data protection information, can be found on our Trust Center.
We will continue to monitor the developments and guidance issued by the European Data Protection Board and the authorities applicable to Mimecast and will issue further updates as appropriate.
The CJEU press release is available here.
The full judgment is available here.