If you are located in the European Economic Area (EEA)/UK or use our platform to process data about your contacts in the EEA or UK, our Data Processing Addendum has been drafted to meet the requirements of the GDPR in order to enable you to transfer EEA/UK personal data to Mailchimp in the United States, and to permit Mailchimp to lawfully process that data on your behalf.
Mailchimp has self-certified its compliance to both the EU-Swiss Privacy Shield Framework and the Swiss-US Privacy Shield Framework.
In addition, Mailchimp contractually commits to transfer and process all of its users’ EU and UK data in compliance with the Standard Contractual Clauses, which remain a valid data export mechanism and which automatically apply in accordance with Mailchimp's Data Processing Addendum.
More information about data transfers
We know that some of our users may have questions about the CJEU’s recent ruling regarding data transfers, and how the ruling affects their use of Mailchimp. Below are some common questions and answers.
What did the CJEU recently decide regarding data transfers from the EU?
On July 16, 2020, the CJEU invalidated the EU-US Privacy Shield Framework (Privacy Shield), which was one way for companies to transfer data legally from the EU/UK to the US. At the same time, the CJEU confirmed that Standard Contractual Clauses (SCCs) continue to provide a valid mechanism for companies to transfer personal data outside the EU/UK. Following the ruling, however, transfers based on SCCs may be challenged on a case-by-case basis, especially where national security laws conflict with the guarantees provided by the data importer under the SCCs.
The CJEU noted that, in addition to adhering to the SCCs, the data exporter and data importer may need to agree to supplemental measures to ensure an adequate level of protection for the transferred data, but did not specify what those measures could be. The European Data Protection Board recently issued some FAQs confirming that it’s currently analyzing the CJEU’s decision, and will issue guidance on what those supplemental measures could consist of in the future. Mailchimp will review this guidance as soon as it is available and implement it to the best of its ability to ensure compliance with all applicable data protection laws.
How does the CJEU's decision affect my use of Mailchimp?
We want to reassure our users that they can continue using Mailchimp in compliance with EU/UK law. We knew that the CJEU’s ruling was a possibility, so we have long provided our users with two layers of protection for data transfers from the EU/UK to the US in our Data Processing Addendum (DPA): compliance with the EU-US Privacy Shield Framework and the SCCs.
While the CJEU's ruling invalidated the EU-US Privacy Shield Framework, it did not affect the SCCs, which remain a valid data export mechanism. Our agreements are structured in a way that the SCCs automatically take effect, so our users were protected by the SCCs immediately after the ruling. In addition, we will also continue to honor our obligations to protect EU, UK, and Swiss data in compliance with the Privacy Shield Principles.
We are also committed to protecting our users’ ability to transfer and process data on our platform. We are reviewing the CJEU's decision carefully and will continue to closely monitor the evolution of international data transfer mechanisms under the GDPR and emerging guidance to determine whether we need to make any additional changes to our practices, including implementing any supplemental measures as a data importer.
Does Mailchimp transfer data outside of the EU/UK? If so, to which countries?
Mailchimp is headquartered in and has offices in the United States and our servers are also located in the United States. This means data we process may be transferred to, stored, or processed in the United States. In addition, we leverage third-party vendors who process personal data on our behalf, to provide services to Mailchimp, and their servers may be located outside of the EU/UK. A full list of the sub-processors we use to process our users’ data, along with details of their location, are available here. We take steps to ensure that our vendors offer appropriate safeguards to protect personal data they process on our behalf, and contractually obligate them to process such data in compliance with applicable data protection laws.
How does Mailchimp ensure that data from the EU/UK remains protected outside of Europe?
Mailchimp has put a number of measures in place to ensure that EU/UK data remains protected when it’s transferred outside of Europe.
In addition to incorporating the SCCs, our Data Processing Addendum also specifies our commitments to security, confidentiality of processing, limitations on international transfers of personal data, cooperation with data subject rights, notice of security incidents, and more.
Importantly, Mailchimp does not sell, rent, or trade user data.
While the CJEU’s ruling on the Privacy Shield complicates EU-US data transfers, it changes little regarding the paramount importance Mailchimp places on the privacy and security of our users’ data. Our security and privacy program is outlined in detail on our security page.
Here’s a summary of some of the important and specific technical and organizational measures we have implemented (and will continue to implement) to safeguard against unauthorized access to user data:
Mailchimp has where and to the extent technically feasible, implemented encryption technologies across its infrastructure to help protect user data from unauthorized access when it’s processed internally by Mailchimp. For example, all Mailchimp production pages use transport layer security (TLS), a secure encryption protocol, and Mailchimp's internal wireless network utilizes 128bit WPA2 encryption. Further, Mailchimp email (256bit), all VPN connections (256bit), and the internal chat application (256bit) are also encrypted. Login pages use TLS and have brute-force attack protection. This also applies to mobile Mailchimp applications and the Mailchimp API.
(2) Access controls
Mailchimp restricts third-party access to its internal tooling and infrastructure. Our Legal team evaluates all requests for access, and ensures that the request is appropriate for the work to be performed, and that the third-party follows all security and privacy provisions outlined in their contract. Once approved, Mailchimp only grants access through controlled accounts to clearly -defined portions of the system.
Mailchimp remains committed to maintaining the highest levels of privacy and security for our users. If you have questions about our security and privacy program, please email firstname.lastname@example.org.
Will Mailchimp be making any changes following the CJEU's decision?
Over the coming months, we anticipate that EU data protection regulators will issue additional guidance on the CJEU decision, including what the supplementary measures could consist of for those transferring data in reliance on the SCCs. In addition, the current form of the SCCs were written before the GDPR went into effect and will be updated at some point in time. We will continue to keep a close eye on forthcoming guidance to stay up to date and assess whether we need to make any changes to our existing practices.
In the meantime, we will continue to uphold our obligations and commitments to our users under our contracts, the GDPR, and the Privacy Shield framework.
How does Mailchimp respond to information requests?
We carefully consider all requests for information, and as a policy, don’t provide third parties with information from an account that doesn’t belong to them unless we are legally compelled to do so. This means we will only respond to a valid court order, subpoena, search warrant, or other proper legal process seeking information and records from a Mailchimp account.
Mailchimp uses certain guidelines when responding to requests for information, whether from a government or non-government entity:
We strive to maintain user privacy and confidentiality.
Where feasible, we ask the requestor to seek the information directly from the relevant account holders rather than from Mailchimp.
We ask the requestor to provide us with as much information as possible so that we can properly identify the correct user account. We will not respond to a request unless we first have adequate and specific information, such as an email address, email headers, internet domain, username, IP address, or other similar information, that enables us to identify and locate the correct account.
Absent a statutory exception under U.S. law, we only respond to requests that have been made through valid U.S. legal process. This means the legal process (such as subpoenas, discovery requests, search warrants, or court orders) must be properly domesticated by a U.S. court of competent jurisdiction and issued in accordance with the applicable federal and/or state procedural rules before Mailchimp will respond.
Mailchimp does not accept requests directly from government entities outside the U.S. We only respond to foreign government requests made through a Mutual Legal Assistance Treaty or another available diplomatic or legal means to obtain information from Mailchimp.
Mailchimp commits to providing users advance written notice of any compulsory requests to access their data, unless we are prohibited by law from doing so.
Does Mailchimp publish transparency reports about information requests?
In order to demonstrate our commitment to privacy and our efforts to be as transparent as possible, Mailchimp now publishes annual transparency reports (available here) to document the number and type of legal requests we receive. While there are restrictions over the level of detail we can provide, we will do our best to be as transparent as legally possible in all such reports. In the meantime, if you have any questions please contact us at email@example.com.