2 min read

Privacy Shield update

Featured Image

On July 16, 2020, the Court of Justice for the European Union (EUCJ) invalidated the Privacy Shield as a measure for transferring personal data between the EU and the US. This blog post details some of the measures we have taken in response to that judgement.

Updates to our Data Protection Addendum

Our Data Protection Addendum, which was incorporated into our Master Services Agreement in 2018, was drafted to rely on both the Privacy Shield framework and in the alternative, the EU approved Standard Contractual Clauses.

In light of the Schrems ruling we have decided to withdraw from the Privacy Shield and have amended our contractual documentation accordingly. Our customers can continue to rely on the Standard Contractual Clauses to lawfully transfer personal data from the EU/EEA to non-EU/EEA countries, including the U.S.

How we protect you and your customers

  • Full details of the measures that we take in relation to privacy and security can be found in our Trust Center.  You can find details of the certifications that we adhere to, and request a due diligence pack that includes executive summaries of our latest penetration tests, our latest SOC 2 report as well as a completed CAIQ questionnaire.
  • Our Master Services Agreement and our Privacy Notice provide details of our data retention and deletion policies.
  • Our Subprocessor page provides details of the subprocessors we use.  You can subscribe to updates to our subprocessors using an RSS feed.  
  • As a Controller you have control of the data entered into our software by your customers, and our Support Center describes the ways in which you delete this data from your activity stream
  • For the sake of clarity, we wish to state that we have never received an access request from any US government entity, either directly or through any of our subprocessors.

We are closely monitoring developments in relation to a revised Privacy Shield framework as well as the European Commission’s progress towards updated SCCs, and we will provide updates in due course.

In the meantime, if you have any questions about OnceHub’s response to the Schrems II decision, then please contact our Privacy Office via our contact page.


Steve Smith, Chief Information Officer

As CIO, Steve heads our information department and oversees all aspects of privacy, security, and data management. He has over three decades experience as a solicitor, an IT systems designer, and as a risk and data privacy professional in the legal and insurance sectors. Steve is a qualified solicitor, and is CRISC and IAPP/E certified. In his spare time he enjoys cycling, cooking, and fine South African wines!