Workplace Data Transfer FAQs

At Workplace, we're committed to your privacy and security, with world-class infrastructure and enterprise-grade security features designed to keep your Workplace community safe.

We want to explain in more detail the commitments we make to our customers to keep their data safe and secure when it is transferred from the European Economic Area (EEA) to the US.

We have therefore put together this FAQ for our customers to explain how and why we transfer data, as well as the protections we have in place when doing so.

Is Workplace data transferred outside of the European Economic Area (EEA)?

Yes. In order to be able to provide the Workplace service, it is essential for us to be able to transfer data outside of the EEA and to utilise our global infrastructure. We do this in accordance with our Workplace Online Terms and specifically, the European Data Transfer Addendum. Workplace customer data processed by Facebook Ireland will be transferred to countries outside the EEA, including the United States, for the purposes described in our Workplace Online Terms. These data transfers are necessary to operate and provide the Workplace service.

Which GDPR transfer mechanism is used by Facebook Ireland to transfer Workplace data outside the EEA?

Facebook Ireland transfers its customers’ data outside the EEA using the European Commission Standard Contractual Clauses (SCCs) referred to in the European Data Transfer Addendum to the Workplace Online Terms. These data transfers are necessary to operate and provide the Workplace service.

From 27 September 2021, new SCCs will be in place between Facebook Ireland Limited (as exporting processor) and Facebook, Inc. (as importing subprocessor) to cover the transfer of Workplace customer controlled personal data. This is to be done using module three of the SCCs which is specifically designed for transfers by a processor to a subprocessor. Details of further subprocessors and onward transfers under those SCCs can also be found here:

Facebook Ireland has developed these FAQs to inform customers about some of the relevant factors considered by Facebook Ireland and Facebook, Inc. in accordance with the SCCs in carrying out its transfer impact assessment.

Why is Workplace moving to the new Processor to Processor module for SCCs?

As the old SCCs are being revoked by the European Commission as part of the modernisation of the SCCs, it is necessary to move to the new SCCs. The European Commission introduced the Processor to Processor module of the new SCCs as part of the modernisation of the SCCs - it is designed specifically for businesses like Workplace where customers contract with a European based processor which uses subprocessors outside Europe. As the Processor to Processor module is best aligned with how our Workplace customers contract with Facebook Ireland and not our subprocessors, Workplace is now moving to the Processor to Processor module. This option was not available previously with the old SCCs but has only become an option now that the SCCs have been modernised to reflect current business practices and data flows.

What about the Controller to Processor SCCs which have been in place prior to 27 September 2021?

The new SCCs described above will replace the old form SCCs which were in place between Workplace customers and Facebook, Inc. under the prior version of the European Data Transfer Addendum. Those old form SCCs are terminated from 27 September 2021 as they are being revoked by the European Commission as part of the SCC modernisation process and are no longer required.

What is the Schrems II Judgment on data transfers?

In July 2020, the Court of Justice of the EU (CJEU) clarified the basis on which organizations can transfer data outside the EEA. The CJEU confirmed the validity of the SCCs, but made clear that organizations are responsible for ensuring that data transferred is appropriately protected. Therefore, whilst we consider that the SCCs alone will continue to provide sufficient protection for transfers outside the EEA in most cases, including to the United States, we also have supplemental safeguards in place to protect Workplace data and these are described below.

In the Judgment, the CJEU also invalidated Privacy Shield, a framework for regulating transatlantic transfers of personal data from the EEA to the United States. We previously relied on the Privacy Shield for Workplace, but have since migrated to the SCCs, whilst also remaining certified and committed to complying with the Privacy Shield framework.

What measures and safeguards have we put in place to protect Workplace data when it is transferred outside the EEA?

We have in place a number of safeguards and measures to ensure an adequate level of protection for Workplace data being transferred outside the EEA, including:

Facebook maintains an Information Security Management System (ISMS) for Workplace. ISMS is put in place to establish, maintain and continuously improve the confidentiality, integrity, and availability of Workplace information assets and to ensure the trust of users using the Workplace platform. This has allowed Facebook to maintain both ISO27001 and ISO27018 for Workplace, in addition to maintaining a SOC2 report and the robust technical safeguards outlined in the Data Security Addendum of the Workplace Online Terms. Becoming ISO27001 and ISO27018 compliant demonstrates Workplace is committed to protecting its operations and information from internal and external threats.

Encryption of data in transit so it cannot be read:
Facebook employs industry standard encryption algorithms and protocols designed to secure and maintain the confidentiality of data in transit over public networks. Employing advanced encryption algorithms enables Facebook to secure Workplace data in transit from access by third parties.

Operational policies and procedures:
We have robust policies and procedures in place to ensure Workplace data is adequately protected in relation to requests from governmental agencies. For example, we will only comply with a governmental request for Workplace user data after we are satisfied that the request complies with applicable law and our policies. If the request is unlawful (e.g. overly broad, or legally deficient in any way), we will push back or challenge the request. We encourage governmental agencies to submit only requests that are necessary, proportionate, specific, and strictly compliant with applicable laws, by publishing guidelines for government requests. More details about how we respond to government requests are provided in the Reviewing Government Requests FAQ.

No “back door” governmental access: We do not provide any government with direct access or encryption “back doors.” We believe that intentionally weakening our services in this way would undermine the security that is necessary to protect people who use our global service.

We have a dedicated, trained Law Enforcement Response Team (LERT) that reviews and evaluates every government request for user data individually, whether the request was submitted related to an emergency or through legal process obtained by law enforcement or national security authorities. This team ensures that all requests are consistent with applicable law and our policies.

Facebook Transparency Report:
We publish information on government requests we receive in our Transparency Report. Information regarding requests made under the US Foreign Intelligence Surveillance Act (FISA) is included in the report with the maximum level of detail permitted under US law.

We appreciate the focus of governments across the globe on protecting and safeguarding people’s data, including in the US and Europe, and we work hard to do our part. We actively engage with governments to encourage practices that protect peoples’ rights. We belong to advocacy groups like Global Network Initiative, whose mission is to advance the freedom of expression and privacy rights of Internet users worldwide; and are a founding member of Reform Government Surveillance, which advocates for government data requests to be rule-bound, narrowly tailored, transparent, subject to strong oversight and protective of end-to-end encryption. We support surveillance reform and frequently engage with various government and regulatory bodies to advocate the same.

Individual rights:
In addition to the rights under EU law, the SCCs and US law, individuals also have the right to submit a complaint or request to the Privacy Shield Ombudsperson in the United States.

How does Facebook handle law enforcement requests relating to Workplace?

Facebook’s policy is to redirect government requesters to the Workplace customer in the first instance. If Facebook is required to respond to a request for information relating to Workplace customer data, then this Government Requests FAQ sets out the policy and processes which will apply.

Facebook scrutinizes every government request we receive, regardless of which government makes the request, to make sure it is legally valid. If we determine that a government request is not consistent with applicable law or our policies, we push back and engage the governmental agency to address any apparent deficiencies. If the request is unlawful (e.g. overly broad, or legally deficient in any way), we will challenge or reject the request. We encourage governmental entities to submit only requests that are necessary, proportionate, specific, and strictly compliant with applicable laws, by publishing guidelines for government requests.

We have robust policies to ensure every government request is scrutinized no matter which government makes the request. Facebook must comply with valid and compulsory legal requests from US government agencies. These requests must be made in accordance with applicable law and our policies, and we produce only the information that is narrowly tailored to respond to each request.