This page provides information about DigitalOcean’s use of the SCCs in our standard Data Processing Agreement (DPA), as well as information about the additional safeguards and supplementary measures offered by DigitalOcean, to further enhance the protection for international data transfers of personal data under the General Data Protection Regulation (GDPR).
Schrems II was a ruling by the Court of Justice of the European Union (CJEU) on July 16, 2020, that had implications on the international transfer of personal data from the EU to non-EU countries. As a result, companies were required to adopt new mechanisms and safeguards for the international transfer of EU personal data. One such mechanism was the Standard Contractual Clauses (SCCs) in which additional technical, organizational, and contractual measures were to be applied to provide essentially equivalent protections guaranteed by EU law.
DigitalOcean has made several changes to the security and privacy of EU personal data.
Please encourage your customers to review our Data Processing Agreement in accordance with their requirements and share with them our Controller-to-Processor Schedule. This Schedule details what additional safeguards and supplementary measures are in place for valid international data transfers.
If you process personal data about your customers and have business operations in the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom, GDPR may be an applicable regulatory requirement for you. We encourage you to seek legal advice regarding this subject before proceeding.
A controller is the entity that determines the purposes and means of the processing of personal data. Some examples of a controller are listed below.
A processor is the entity that processes personal data on behalf of another entity. An example of a processor is listed below.
Depending on how GDPR applies to your business and what personal data you process, you should:
This is highly specific to your business but there are some basic security requirements you should review. We recommend all our customers review their encryption practices in transit and at rest for all customer personal data they process. Encryption is the responsibility of DigitalOcean customers to define and implement as detailed in DigitalOcean’s Shared Security Responsibility Model. Based on guidance from the European Data Protection Board (paragraph 79) in response to the Schrems II decision, this is an adequate supplementary measure that can be taken to protect personal data transfers from the EU to non-EU countries.
The list of sub-processors for our Controller-to-Processor Schedule is available upon request by reaching out to privacy@digitalocean.com.