Schrems II and International Data Transfers with DigitalOcean FAQ

This page provides information about DigitalOcean’s use of the SCCs in our standard Data Processing Agreement (DPA), as well as information about the additional safeguards and supplementary measures offered by DigitalOcean, to further enhance the protection for international data transfers of personal data under the General Data Protection Regulation (GDPR).

What is Schrems II?

Schrems II was a ruling by the Court of Justice of the European Union (CJEU) on July 16, 2020, that had implications on the international transfer of personal data from the EU to non-EU countries. As a result, companies were required to adopt new mechanisms and safeguards for the international transfer of EU personal data. One such mechanism was the Standard Contractual Clauses (SCCs) in which additional technical, organizational, and contractual measures were to be applied to provide essentially equivalent protections guaranteed by EU law.

What is DigitalOcean’s response to Schrems II?

DigitalOcean has made several changes to the security and privacy of EU personal data.

We have updated our Data Processing Agreement (DPA) to more clearly define the roles and responsibilities of you as the customer and our responsibility as DigitalOcean.
We have added new Controller-to-Controller and Controller-to-Processor information, including supplementary measures, processing activities, and information on international transfers within our DPA.
We have implemented a new support process for accessing more sensitive data within your droplet console. Non-EU based DigitalOcean employees will be unable to access droplet consoles of resources located in EU data centers. Any requests for droplet console access will be routed through EU-based DigitalOcean employees.

What should I tell my customers about how DigitalOcean deals with international data transfers?

Please encourage your customers to review our Data Processing Agreement in accordance with their requirements and share with them our Controller-to-Processor Schedule. This Schedule details what additional safeguards and supplementary measures are in place for valid international data transfers.

How does this ruling impact my business?

If you process personal data about your customers and have business operations in the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom, GDPR may be an applicable regulatory requirement for you. We encourage you to seek legal advice regarding this subject before proceeding.

A controller is the entity that determines the purposes and means of the processing of personal data. Some examples of a controller are listed below.

DigitalOcean is a controller for our customer’s personal data (e.g. personal information provided to DigitalOcean when signing up for our services)
A DigitalOcean customer may be a controller if they collect and process personal data on their customers (e.g. personal data provided to you by your customers)

A processor is the entity that processes personal data on behalf of another entity. An example of a processor is listed below.

DigitalOcean is a processor for our customer’s end-user personal data (e.g. A DigitalOcean customer stores their customer’s personal data on a DigitalOcean service)

Depending on how GDPR applies to your business and what personal data you process, you should:

Review our updated Data Processing Agreement that has embedded Standard Contractual Clauses.
Review Schedule 2 (Controller-to-Controller) in our Data Processing Agreement for additional details on the supplementary measures in place to transfer personal data regarding DigitalOcean customers.
Review Schedule 3 (Controller-to-Processor and/or Processor to Processor) in our Data Processing Agreement for additional details on the supplementary measures in place for the personal data you store on DigitalOcean products.

What supplementary measures should I implement?

This is highly specific to your business but there are some basic security requirements you should review. We recommend all our customers review their encryption practices in transit and at rest for all customer personal data they process. Encryption is the responsibility of DigitalOcean customers to define and implement as detailed in DigitalOcean’s Shared Security Responsibility Model. Based on guidance from the European Data Protection Board (paragraph 79) in response to the Schrems II decision, this is an adequate supplementary measure that can be taken to protect personal data transfers from the EU to non-EU countries.

How do I request DigitalOcean’s list of sub-processors?

The list of sub-processors for our Controller-to-Processor Schedule is available upon request by reaching out to privacy@digitalocean.com.