Data Processing Agreement Update - January 2022
Role as processor/controller
We have made some changes to our role as data processors in some places in the DPA. This is our reasoning:
- For users that choose to use Google as a third-party authentication mechanism for logging in to Whereby, the following additional information such as Google account userID, Display Profile image and URL is processed. We obtain this information from google but are we determining the means and purpose of this data- we can say that because we are enabling signing-in through these credentials. Therefore, we consider ourselves a controller for this data. However, we have removed this information from our DPA because our DPA only applied to situations where we are data Processors.
As data controllers, we require you to acknowledge that the processor (Whereby) is based in Norway, whereas the data pertaining to this agreement is stored in the Republic of Ireland or another location the processor may choose in the EU/EEA. Where edge components outside the EU/EEA are used for transient storage, the transfer is expected to be covered by one of the contract performance exceptions under Article 49(1)(b) or (c) GDPR as such transfer is subject to the choice of the controller and/or its users to engage in communication with someone who is based outside the EU/EEA. Should a transfer for any reason not be covered by said GDPR exceptions, Standard Contractual Clauses shall be used.
If you have any questions or comments to this update, please contact firstname.lastname@example.org.