International Data Transfers
Published on: April 23, 2024
Introduction
At Telesign privacy is embedded in everything we do in service to our Customers and taken very seriously by all Telesign employees.
Telesign has in place a comprehensive data privacy program which encompasses global laws and regulations including the California Consumer Privacy Act (“CCPA”), EU General Data Protection Regulation (“GDPR”), Brazilian Lei General de Protecao de Dados (“LGPD”), Serbian Zakon o zaštiti podata oličnosti (“ZZPL”), Chinese Personal Information Protection Law (“PIPL”), Singaporean Personal Data Protection Act (“PDPA”), and Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) (“Applicable Data Protection Laws”). Our data privacy program is aligned with the key principles of data protection – lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
Locations, Data Centers, and Sub-Processors
Telesign is headquartered in Los Angeles, California, USA and additionally has offices in Belgrade, Serbia with support from an operational sub processor based in Lithuania (EU). Personal data, including Customer data, is transferred from the Customer to the US and Serbia offices daily for the purposes of service delivery, operational support, troubleshooting and billing. Telesign’s current data center set up includes four data centers two in the United States (California and Texas), one in Belgium (EU) and one in the Netherlands (EU). Furthermore, Telesign uses various carriers, network transit providers and data service providers (Sub processors) for transmission of telecommunication services, such as SMS and Voice, globally.
Currently, all personal data is replicated across the four data centers (some of which are outside of the EU/EEA) for traffic load balancing and service availability. As a part of Telesign’s ongoing commitment to data privacy and in response to increased Customer requests for EU data residency, Telesign will soon have the capability to ensure that personal data is processed and stored only within the European Union (EU) for most of its Services.
Contractual safeguards
Telesign ensures that a Data Processing Agreement (DPA) is in place with all Customers (defining us as a Data Processor) and Providers (where we are defined as a Data Controller).
In the DPA, we commit to the obligations required under Applicable Data Protection Law, and flow down these obligations to our Processors and sub processors, as applicable. Such obligations include having in place an appropriate safeguard for any international transfers of personal data.
Under the GDPR for example, personal data cannot be transferred outside of the EEA to organizations located in third countries unless (a) the importing country is deemed adequate by European authorities (the European Commission, UK Information Commissioner (ICO) or the Swiss Federal Data Protection and Information Commissioner (FDPIC)), or (b) appropriate safeguards are in place to ensure that transferred personal data is subject to an adequate level of data protection, such as the SCCs.
Telesign relies on the Standard Contractual Clauses (‘SCCs’) as the adequate safeguard to legally operationalize international transfers from the EEA/EU and the UK. Effective September 27, 2021, the newly updated SCCs are applied to address all international transfers. These new SCCs are designed by the European Commission to better align with the regulatory requirements of the GDPR, and to address issues highlighted in recent legal decisions like Schrems II[1].
To review Telesign’s Customer SCCs, please visit: Telesign SCCs.
Supplementary measures
Telesign remains committed to complying with the SCCs and responding to any additional transfer impact analysis questionnaires coming from our Customers to the best of our ability and without undue delay.
As a data importer, Telesign is open to negotiating any supplementary measures (technical, contractual or organizational) for international transfers, in good faith, as long as they are not contradictory to any applicable law. In addition, Telesign commits to being compliant with any privacy regulations in their existing form and, as and when they are updated. Even though the data exporter (Telesign’s Customer) is liable for assessing its transfers and supplementary measures, Telesign, as a data importer, wishes to offer its response to supplementary measures in compliance with the recommendations of the EDPB (European Data Protection Board). Please visit: Transfer Impact Analysis for more information.
For more information on Telesign’s third-party risk management and overall privacy practices, please see our Privacy Hub .
[1] The Court of Justice of the European Union (CJEU) judgment of 16 July 2020 (Data Protection Commissioner v. Facebook Ireland LTD, Maximillian Schrems, C-311/18)