UKG certified under the E.U.-U.S. Data Privacy Framework

July 31, 2023

Written By

Noemie Weinbaum

Legal Director

Noemie is a privacy, information security and technology attorney with over 20 years of experience in risk management, and regulatory and privacy compliance. She's also a frequent speaker and author on privacy and innovation matters.

As an individual, Noemie is committed to promoting innovation and continued success of business by fostering balanced protection of privacy, as well as legal and contractual trust in the use of technology and in the responsible, protected collection and processing of people's data.

With the European Union passing an adequacy decision and allowing a new E.U.-U.S. Data Privacy Framework (DPF), UKG is now a certified organization under the framework, effective July 17, 2023. This change provides additional reassurances related to cross-border transfers of personal data from the European Union to the United States in a way that’s compliance with E.U. data protection laws. Here’s a quick breakdown:

A new way to transfer personal data across the Atlantic

The E.U.-U.S. DPF is a new framework that allows organizations to transfer personal data from the European Union (EU) to the U.S. This is a welcome step towards greater transatlantic cooperation on data protection.

Recently, changes to U.S. intelligence-gathering requirements enabled the path to the new framework for transfers of E.U. personal data. Transfers based on the adequacy decision do not require any specific authorization under Article 45 of General Data Protection Regulation (GDPR) to legitimize transatlantic data transfers.

Understanding General Data Protection Regulation

The GDPR is a regulation in E.U. law on data protection and privacy for all individuals within the E.U. and the European Economic Area (EEA). It also addresses the export of personal data outside the E.U. and EEA areas. GDPR aims primarily to empower individuals by giving them more control over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the E.U.

The E.U.-U.S. DPF and GDPR are sets of rules designed to protect the privacy of personal data. UKG will continue to abide by the Standard Contractual Clauses and other applicable cross-border mechanisms, including for transfers out of the United Kingdom and Switzerland for intra-group transfers and transfers to our subprocessors. The Standard Contractual Clauses will remain a valid instrument to demonstrate our compliance with Article 28 of GDPR.

We remain a privacy advocate and are committed to maintaining a high level of transparency through the Transfer Impact Assessment and Transparency Report.

Currently, UKG uses multiple mechanisms to provide you with cross-border transfer security and greater customer protection:

An inter-company agreement applicable to all UKG affiliates
Standard Contractual Clauses (SCCs), which are included in the UKG Data Processing Agreement and reflects best-in-industry commitments

UKG continues to abide by the SCCs and other applicable cross-border mechanisms, including for transfers out of the U.K. and Switzerland for intra-group transfers and transfers to our subprocessors. The SCCs remain a valid instrument to demonstrate UKG compliance with the GDPR.

Additionally, UKG maintains its Privacy Shield certification and is in the process of adopting the required changes to our privacy notice to transition to the DPF by mid-October 2023.