What are the rules governing the transfer of personal data to LIVECHAT?
We value your privacy and we are committed to protecting your information.
What that means for you?
The transfer of personal data is an important part of our service. If you want to better understand the rules and conditions in which we secure the transfer of your personal data, this document is for you.
We ensure that any transfer of personal data from the European Economic Area (EEA) and the United Kingdom (the UK) to us is performed under the conditions outlined in our Data Protection Addendum (DPA) as one of the most common ways of achieving cross-border data transfers in compliance with the data protection laws.
With respect to how LiveChat, Inc. (LiveChat) processes your data (including personal data) and shares it with sub-processors please note that we have access to your customer data (including personal data) in accordance with our Terms of Use and Privacy Policy which we kindly suggest familiarizing yourself with.
As a Client - what should I keep in mind before transferring personal data to LIVECHAT?
LIVECHAT, as the processor of your data under your account (including the personal data of your end-users (i.e. visitors to your website where our product is implemented), needs to be sure that for the entire duration of your subscription to our products, you have a legal basis for collecting, processing and transferring the data of your end-users to our products to enable us the fulfilment of our obligations pursuant to the Agreement. Please remember, that the consent of your end-users to have their personal data processed by you and transferred to us should always be lawfully collected by you. It’s important, as we can only provide our services to you if you, as an owner of data contractually confirm to us that you have a continuing legal basis for collecting, processing end-users data when chatting with you and transferring it to us to provide you with the services you subscribed for.
Any legal assistance you may need with the lawful transfer of personal data from you to us should be discussed with your legal advisor who knows your organization, purposes and your local regulations.
Do LIVECHAT products make it easier to collect consent from clients’ end-users?
Yes. Our products are built with customer security and privacy in mind. As a global service provider, we allow you to adjust the chat window to the legal data protection obligations you may be subject to in order to capture the necessary consent from your end-users and facilitate your use of our product in a legit way. Want more information about how to prepare your chat to be GDPR, CCPA and UK GDPR compliant? Go to consent settings.
What EU-US changes are coming up after Schrems II?
To the extent that personal data are transferred from the EU to the US, companies like LIVECHAT can no longer rely on the EU-US Privacy Shield, following the CJEU’s decision in Schrems II.
The new mechanism to allow for transfers of personal data between the EU and the U.S. is now advancing after an October 7th, 2022 Executive Order was issued by U.S. President Biden (the “Executive Order”). The so-called Trans-Atlantic Data Privacy Framework referred also to as the EU-U.S. Data Privacy Framework (the “Framework”) is intended to replace the now-defunct EU-U.S. Privacy Shield mechanism. We monitor planned changes and will reflect them as soon as they will be in effect.
Until there are binding new Framework rules, below you will find the necessary information about the currently applicable mechanisms for transferring personal data from your location to us, so that you can be more aware of what legal standards we apply to the processing of your end-users data when you transfer it from the EU/EEA and the UK to the US.
We are located in Europe. Can we transmit personal data outside the EU to LIVECHAT?
Yes. LIVECHAT complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (The General Data Protection Regulation – GDPR). It means that we are committed to subjecting all personal data received from European Union (EU), European Economic Area (EEA) and Switzerland in reliance on the GDPR. To learn more about our GDPR compliance, please visit our data protection- faq.
How does LIVECHAT comply with the GDPR when there is a transfer of Personal Data from the EU/EEA?
As per the GDPR, personal data transfers to another country outside the EU can take place only when an adequate level of protection is ensured or there are safeguards in place to ensure the level of protection is essentially equivalent to that currently guaranteed inside the EU.
We are located in the United States with no adequacy decision. Therefore, to facilitate EU/US cross-border data transfers in the absence of an adequacy decision, we rely on the SCCs approved by the European Commission that offers sufficient safeguards on personal data protection to be transferred internationally from the EU/EEA to the US.
How SCCs are executed by LIVECHAT?
We have included the new SCCs (Module II) in our DPA which allows both LIVECHAT and its EU/EEA customers to comply with the GDPR regulation when there is a cross-border transfer of personal data from EU/EEA to us. Module II pertains to the transfer from the controller (the owner of the data -that is you) to the processor (a service provider that is contracted to process the data on behalf of the controller - that is us) and is presented as Exhibit C to our DPA.
Can transfers of personal data be validly made to and from the UK to the EEA?
Yes. Transfers of personal data from the EEA to the UK may take place without additional safeguards since the European Commission considered on 28 June 2021 that the UK offers an adequate level of protection for personal data. The UK is an “adequate” country for EU GDPR purposes.
We are located in the UK. What rules apply if I transfer personal data made from the United Kingdom (“UK”) to LIVECHAT?
Under UK GDPR, personal data can be transferred from the UK by using tools or mechanisms akin to those under the GDPR.
After 21 September 2022, all personal data transfers from the United Kingdom (“UK”) to us (a non-EU/EEA third country) are legitimized by using the EU SCCs, subject to the UK Addendum (an international data transfer addendum to the EU SCCs). It means that when making international transfers from the UK to us, we rely on the UK Addendum and the new EU SCCs offering sufficient safeguards on personal data protection to be transferred internationally from the UK to the US.
Should I sign a new DPA with LIVECHAT if my company started using LIVECHAT services before 27 September, 2022?
No. We are aware that DPA with us under the old EU SCCs entered into on or before 21 September 2022 with LIVECHAT will continue to be compliant until 21 March 2024. However, as of September 21, 2022, our existing DPA has been automatically replaced by us with a new valid transfer mechanism that is the UK Addendum alongside the new EU SCCs there is no need to sign a new DPA with LIVECHAT. It applies to all our UK customers regardless of whether you started using our services before or after September 21, 2022.