Last Updated: February 18, 2021

We know that many organizations have questions about the GDPR and their obligations under the GDPR and its most recent developments. The privacy team here at KnowBe4 put together this guide to help clear the air on some of the most common pressing issues with the European Economic Area (“EEA”), Switzerland and UK data transfers to assist you on your compliance journey. We hope that this guide will support your efforts in making a determination that there are adequate levels of protection in place for the processing of your personal data.

Although we go to great lengths to make sure our information is accurate and useful, we are not a law firm and cannot provide you with legal advice. This webpage/guide has been prepared for general information purposes only to permit you to learn more about doing business with KnowBe4, Inc. and its affiliates (“KnowBe4”). The information presented is not legal advice, is not to be acted on as such, may not be current, and is subject to change without notice.

Fiction: “Due to the Schrems II decision, United States data processors can no longer process European Union Personal data”

Fact: Due to the ruling, the Court Justice of the European Union (“CJEU”) now requires the adoption of “supplementary measures” to provide legal certainty for data transfers. Organizations are now required to assess their international data transfers against the requirements of the CJEU and the European Data Protection Board (“EDPB”) amongst a few other requirements, which can be found here.

Although the ruling found that U.S. Law (Section 702 of the FISA and EO 12333) does not ensure an essentially equivalent level of protection for European personal data, the Foreign Intelligence Surveillance Act (“FISA”) should not directly impact KnowBe4’s operations. To date, KnowBe4 has not received any request under Section 702 of the FISA. Our processing activities are highly unlikely to be relevant to the foreign intelligence activities governed by Section 702. Additionally, EO 12333 does not give the U.S. government the right to compel U.S. companies to provide assistance with its mass surveillance activities. As a result, KnowBe4 cannot be compelled to take any action to facilitate the type of mass surveillance under EO 12333 the Schrems II decision deemed problematic. The CJEU indicated that the Standard Contractual Clauses can be used for transfers of personal data to the U.S where the Standard Contractual Clauses, together with any other safeguards that may be added, provide adequate protection for the personal data in light of Section 702 of the FISA and EO 12333.  

The KnowBe4 privacy team has put together this EU-US data transfer assessment to aid you in making a determination that there are adequate technical and organizational measures in place for the transfer and processing of your personal data. 

Fiction: “The Standard Contractual Clauses can no longer be used for the transfer of personal data to the United States.”

Fact: The Standard Contractual Clauses may still be used for data transfers to the United States with the appropriate supplementary technical and organizational security measures. The Standard Contractual Clauses are included in our data processing addendum which can be found here. The European Commission will be releasing a new set of standard contractual clauses within the next months (expected Q1 or Q2 of 2021). KnowBe4 will continue to keep a close eye on the developments in order to ensure compliance with any new requirements set forth by European regulators.

Fiction: “The GDPR and the most recent data transfers developments require personal data to be stored in the EU.”

Fact: The GDPR and recent data transfer rulings do not require information to be stored within the European Union. Personal data can still be transferred to countries with an adequate level of data protection, or to a country with a non-adequate level of data protection, as long as there is an appropriate legal mechanism in place. Although we offer some data to be stored within the European Union, some data will continue to be processed in the United States. Our customers may rely on our standard contractual clauses in connection with the appropriate technical and organizational security measures located within our DPA, as an appropriate legal mechanism for data transfer from the European Union to the United States. For more information about our data centers, please visit





Get the latest about social engineering

Subscribe to CyberheistNews