International Data Transfers
Sparx direct data centres are in the EEA
Sparx direct data centres including back-ups are within the European Economic Area. This means that the transfer of school data to Sparx is covered by the European ruling of adequacy by the ICO. Countries within the EEA have been deemed to have adequate data protection laws in line with those of UK GDPR. No further contracting safeguards are needed to cover your school sharing data with Sparx other than those outlined in our Terms and Conditions > Section C: Data handling agreement.
We use SCCs + UK addendum or IDTAs for international sub-processors outside the EEA
We do not share student data outside of the EEA. We do share teacher and parent names and emails with support companies outside the EEA with fully GDPR-compliant contracts in place. Contract terms to cover international data transfers have changed significantly in the last few years.
- After Brexit, Sparx relied on EU adequacy ruling plus the US privacy shield.
- Post the Schrems II ruling in July 2020, the US privacy shield was no longer valid and we followed ICO guidance to use EU Standard Contractual Clauses to provide additional contracting safeguards for support companies outside the EEA. This ensured broadly the same protection rights as companies based in Europe. The latest version of the EU SCCs where released in September 2021, these are the ones that are used now.
- Following the ICO’s consultation on international data transfers, new legislation came into force in March 2022. This means that any contracts for data transfers outside of the EEA must contain the latest EU SCCs plus a UK addendum or International Data Transfer Agreement (or IDTA). Any new agreements Sparx enters with sub-processors will have this.
- Contracts for data transfers outside the EEA signed before the 22nd of September 2022 with just EU SCCs in them are still valid until March 2024. We have a rolling program to make sure these are all amended by the end of 2023.
- In July 2023, the European Commission passed the adequacy ruling for the USA for companies that are signed up to the Data Privacy Framework. Whilst this is encouraging, it does not mean the USA is adequate under UK GDPR. We still rely on the contracted terms listed above and await any change in adequacy ruling by the ICO.
- Contracts for data transfers inside the EEA are still covered by EU adequacy ruling.