At Box, securing our customers’ content is at the heart of our platform and products. We’re focused on leading digital transformation across the globe, enabling our customers to manage the entire content lifecycle on one secure platform called the Content Cloud.
In 2021, we shared with you an update on our continued commitment to safeguarding customer data following the issuance of updated European Union Standard Contractual Clauses (EU SCCs) by the European Commission. At the time, we were also awaiting the final outcome of the UK’s Information Commissioner’s Office (ICOs) assessment and adoption of the UK Standard Contractual Clauses (UK SCCs). Today, we want to share an update on our ongoing efforts to support our customers in maintaining a lawful data transfer mechanism throughout the European Union (EU) and United Kingdom (UK).
To support our customers in meeting their business, privacy, security, and regulatory needs, Box is committed to implementing all necessary SCCs within the required timeframe.
Current Customers Doing Business in the EU
Any current Box customers doing business in the EU that continue to rely on the original EU SCCs developed under the predecessor of the General Data Protection Regulation (GDPR), the European Union Directive 95/46/EC, are required to transition to the updated EU SCCs by December 27, 2022. To support compliance with GPDR data transfer obligations, we have previously made available an updated Data Processing Addendum (DPA) that included the updated EU SCCs on the Box GDPR website. We encourage our current customers doing business in the EU that have not already executed the updated DPA (which includes the updated EU SCCs) to do so by reviewing and accepting the agreement found on the Box GDPR website.
New customers doing business in the UK
On March 21, 2022, the ICO issued the UK SCCs as a valid data transfer mechanism for cross-border data transfers from the UK to third countries such as the United States. The ICO has adopted a transition period for implementing the UK SCCs, the applicability of which depends on whether a customer is a new or current Box customer. With the ICO’s issuance of the UK SCCs, we have updated our DPA to support compliance with our shared legal obligations in the UK.
After September 21, 2022, the original SCCs will cease to be valid for data transfers from the UK to third countries. This means that after September 21, 2022, new Box customers requesting a DPA will have an opportunity to review and accept the DPA that incorporates the UK SCCs on the Box GDPR website.
Current customers doing business in the UK
Box is committed to adhering to one of the most comprehensive data protection frameworks and transfer mechanisms in the United Kingdom - Processor and Controller Binding Corporate Rules (UK BCRs). While customers can continue to rely on Box’s UK BCRs as a valid data transfer mechanism, we encourage current Box customers doing business in the UK to review and accept the updated DPA with the new UK SCCs prior to the end of March 2024. Executing the updated DPA will help ensure customers have multiple mechanisms for compliant data transfers. To review and accept the updated DPA (which includes the UK SCCs), please visit Box’s GDPR website.
Contact Box to learn more
We value you - our customers - and we remain vigilant in our commitment to supporting your data privacy protection needs. As the regulatory landscape evolves, we'll continue monitoring the situation to ensure Box meets customers' business, legal, security, and regulatory needs. If you continue to use the Box services provided under the relevant DPA or other agreement already in place after December 1, 2022, we will consider you to have consented to the Agreement, and its terms will thereafter apply. Should you have any questions, or to exercise your right to object under GDPR, please email us at firstname.lastname@example.org.
To learn more about security, privacy, and compliance at Box, visit the Box Trust Center.