Did not receive a reply from gdpr@jotform.com

Hallo Jotform,

ich warte immer noch auf eine Antwort bereits seit über einem Monat, die ich an gdpr@jotform.com geschrieben habe:

Dear Jotform,

it would still be interesting to know why the standard contractual clauses are then attached to the contract for commissioned processing, and in particular, in clause 7 of the contract, it is indicated that they refer to "personal data transferred outside the EEA, either directly or with an intermediate stopover" to a country without an adequate level of protection. If Jotform Ltd. is the contracting party, our understanding is that the personal data will be transferred to the UK, a country with an adequacy decision, so there would be no need to enter into standard contractual clauses.

Best regards, 

Hi Etienne,

Thanks for reaching out to Jotform Support. Please allow me time to look into this.

I will circle back to this thread to let know if I have an update.

Hi Etienne,

Thanks for patiently waiting. We escalated your request to our Relevant Team.

Once receive an update, we will circle back to this thread to let you know.

Hi Etienne,

Thanks for patiently waiting. I receive an update from the GDPR Team and as per them, If Jotform Ltd is the contracting party, you are correct that there would be no need for a transfer to another country. Our DPA still applies overall, even if a particular aspect of it may not apply in every case in every country. 

Let us know if you have any other questions.

Dear Jotform Team,

Pursuant to Art. 26 (3) f) GDPR, it must be included in the contract that the processor supports the controller in complying with the obligations set forth in Articles 32 to 36. In the present contract, however, the obligation to provide support only refers to the obligations from Articles 32 to 34 of the GDPR (cf. page 4). Support for a possible data protection impact assessment and consultation with the supervisory authority cannot be derived directly from the text of the contract, nor can this obligation be derived from the other specified obligations. As this could be seen as a compliance violation, the associated risks would have to be weighed up before concluding the contract.

Did you forgot to include Article 35 & 36?

Hello Etienne,

Thanks for getting back to us. I'll forward your concern to the Relevant Team, and we'll circle back to this thread as soon as we have an update.

We appreciate your patience and understanding.

Hello Etienne,

Thanks for patiently waiting. I received an update from the GDPR team, and they said that despite the recent adequacy decision regarding transfers from the EU to the US, Jotform is still in the process of self-certifying to the DPF. Until then, the SCCs are attached.

Let us know if you have any other questions.