Tealium Data Transfer


Overview

This document provides information to help Tealium customers conduct data transfer impact assessments in connection with their use of Tealium products in light of the Schrems II ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board.

In particular, this document describes the legal regimes that may be applicable to Tealium in the US, the safeguards Tealium puts in place in connection with transfers of customer personal data from the European Economic Area, United Kingdom or Switzerland (Europe), and Tealium's ability to comply with its obligations as the data importer under the Standard Contractual Clauses (SCCs).
For more details about Tealium’s compliance program, please visit: The General Data Protection Regulation (GDPR).

Step1: Know your transfer

Where Tealium processes personal data governed by European data protection laws as a data processor, Tealium complies with its obligations under its Data Processing Addendum (DPA), available at Service Terms .

Please refer to the DPA for information on Tealium's processing activities in connection with the provision of the Services, the types of customer personal data we process and transfer, and the categories of data subjects.

A list of all our data sub-processors and an RSS feed subscription where you can stay up-to-date on changes are available at sub-processors.

We may transfer customer personal data wherever our third-party service providers or we operate to provide you with the Services. The locations will depend on the particular Tealium Services you use, as outlined in the chart below.
Product(s) and Services
Visitor Privacy API
Visitor Sampler
Live Events
Trace
In what countries does Tealium process (e.g. access, transfer, or otherwise handle) customer personal data?
United States
United States
United States
United States
In what countries does Tealium store customer personal data?
Data is not stored outside of the customer- defined region, processing in transit only.
Data is not stored outside of the customer- defined region, processing in transit only.
Data is stored for 10 minutes in memory- backed cache in the United States.
Data is stored in the customer-defined region and kept for 12 hours in local storage.
What is the Purpose of data transfer?
Quality Control
Quality Control
Quality Control
Quality Control
Tealium Product
AudienceStream
AudienceStream
AudienceStream
EventStream
AudienceStream
EventStream

Step 2: Identify the transfer tool relied upon

Where personal data originating from Europe is transferred to Tealium, Tealium currently relies upon the European Commission's SCCs to provide an appropriate safeguard for the transfer. To review Tealium's Data Processing Addendum (which incorporates the SCCs), please visit Service Terms.

Where Tealium transfers customer personal data originating from Europe to third-party sub-processors, Tealium enters into equivalent terms with those parties.

Step 3: Assess whether the transfer tool relied upon is adequate in light of the circumstances of the transfer

What is Tealium's practical experience dealing with government access requests?

Tealium has never received a US National Security Request (including requests for access under FISA 702 or direct access under EO 12333) in connection with customer personal data.

Therefore, while Tealium may theoretically be subject to the surveillance laws identified in Schrems II, we have not been subject to these types of requests in our day-to-day business operations.

US Surveillance Laws

FISA 702 and Executive Order 12333

The following US laws were identified by the Court of Justice of the European Union in Schrems II as being potential obstacles to ensuring essentially equivalent protection for personal data in the US:

  • FISA Section 702 (“FISA 702”) – allows US government authorities to compel disclosure of information about non-US persons located outside the US for the purposes of foreign intelligence information gathering. The Foreign Intelligence Surveillance Court in Washington, DC, must approve this information gathering. In-scope providers subject to FISA 702 are electronic communication service providers (ECSP ) within the meaning of 50 USC § 1881(b)(4), which can include remote computing service providers ( RCSP ), as defined under 18 USC § 2510 and 18 USC § 2711.

  • Executive Order 12333 ( EO 12333 ) - authorizes intelligence agencies (like the US National Security Agency) to conduct surveillance outside the US. In particular, it provides authority for US intelligence agencies to collect foreign signals intelligence information, being information collected from communications and other data passed or accessible by radio, wire and other electromagnetic means. This may include accessing underwater cables carrying Internet data in transit to the US. EO 12333 does not rely on the compelled assistance of service providers but instead appears to rely on exploiting vulnerabilities in telecommunications infrastructure.


Further information about these US surveillance laws can be found in the US Privacy Safeguards Relevant to SCCs and Other EU Legal Bases for EU-U.S.Data Transfers after Schrems II whitepaper from September 2020. This whitepaper detailed the limits and safeguards about US public authority access to data and was issued in response to the Schrems II ruling.

Regarding FISA 702, the whitepaper notes:

  • For most companies, the concerns about national security access to company data highlighted by Schrems II are unlikely to arise because the data they handle is of no interest to the US intelligence community. Companies handling ordinary commercial information like employee, customer, or sales records would have no basis to believe US intelligence agencies would seek to collect that data.

  • There is individual redress, including for EU citizens, for violations of FISA section 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.


Regarding Executive Order 12333, the whitepaper notes:

  • EO 12333 does not on its own authorize the US government to require any company or person to disclose data. Instead, EO 12333 must rely on a statute like FISA 702 to collect data.

  • Bulk data collection, the data collection at issue in Schrems II, is expressly prohibited under EO 12333.


CLOUD Act

For more information on the CLOUD Act, review What is the CLOUD Act? by BSA Software Alliance, outlining the scope of the CLOUD Act.

The whitepaper notes:

  • The CLOUD Act only permits the US government access to data in criminal investigations after obtaining a warrant approved by an independent court based on probable cause of a specific criminal act.

  • The CLOUD Act does not allow the US government access to national security investigations, and it does not permit bulk surveillance.


Is Tealium subject to FISA 702 or EO 12333?

Tealium, like most US-based SaaS companies, could technically be subject to FISA 702, where it is deemed an RCSP. However, Tealium does not process personal data likely to interest US intelligence agencies.

Furthermore, Tealium is not likely to be subject to upstream surveillance orders under FISA 702, the type of order principally addressed in, and deemed problematic by, the Schrems II decision. Tealium does not provide internet backbone services but only carries traffic involving its customers. To date, the US Government has interpreted and applied FISA 702 upstream orders to only target market providers with traffic flowing through their internet backbone and carrying traffic for third parties (i.e., telecommunications carriers).

EO 12333 contains no authorization to compel private companies (such as Tealium) to disclose personal data to US authorities. FISA 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition generally unrelated to commercial information. If US intelligence agencies were interested in the type of data that Tealium processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect data from excessive surveillance.

Step 4: Identify the technical, contractual, and organizational measures applied to protect the transferred data

Tealium provides the following technical measures to secure customer data:

  • Data residency: Customer may specify the location(s) where Customer Data (except User Data) will be hosted within the Tealium Network from the following list, as updated by Tealium from time to time: (i) USA; (ii) Ireland; (iii) Germany; (iv) Japan; and (v) and (vi) Hong Kong (each a “Region”). Once the Customer has made its choice, by properly configuring the Services, Tealium will not transfer the hosting of Customer Data from the Customer's selected Region(s) except under the Customer's further written instructions or as necessary to comply with the law or valid and binding order of a law enforcement agency (such as a subpoena or court order). User Data is hosted in the USA in all cases.

  • Encryption: Tealium will use Industry Standard Encryption techniques for Customer Data being stored or transmitted by Tealium in the course of providing Services. Such techniques will require at least (a) a key length of 256 bits or more for symmetric Encryption and (b) a key length of 2048 bits or more for asymmetric Encryption. Tealium shall encrypt Customer Data at rest and in transit between untrusted networks (e.g. the Internet).

  • Security and certifications: Information about Tealium's security practices and certifications is available here: Protecting Your Customer Data.


Tealium's contractual measures are set out in our Data Processing Addendum, which incorporates the SCCs. In particular, we are subject to the following requirements:

  • Technical measures: Tealium is contractually obligated to have appropriate technical and organizational measures in place to safeguard personal data (both under the Data Processing Addendum and the SCCs we enter into with customers and service providers).

  • Transparency: Tealium is obligated under the SCCs to notify its customers if it is made subject to a request for government access to customer personal data from a government authority. If Tealium is legally prohibited from making such a disclosure, Tealium is contractually obligated to challenge such prohibition and seek a waiver.

  • Actions to challenge access: Under the SCCs, Tealium is obligated to review the legality of government authority access requests and challenge such requests where they are considered unlawful. This is formalized in Tealium’s compelled disclosure policy, a copy of which can be obtained on request.

Tealium's organizational measures to secure customer data include:

  • Policy for government access: To obtain data from Tealium, law enforcement officials must provide a legal process appropriate for the
    type of information sought, such as a subpoena, court order, or warrant.

  • Onward transfers: Whenever we share your data with Tealium service providers, we remain accountable to you for how it is used. We require all service providers to undergo a thorough cross-functional diligence process by subject matter experts in our Security, Privacy, and Risk & Compliance Teams to ensure our customers' personal data receives adequate protection. This process includes a review of the data Tealium plans to share with the service provider and the associated level of risk, the supplier's security policies, measures, and third-party audits, and whether the supplier has a mature privacy program that respects the rights of data subjects. We provide a list of our sub-processors on our sub-processors page (subscribe to our RSS feed so you can stay up-to-date on any changes).

  • Employee training: Tealium provides data protection training to all Tealium staff.

Step 5: Procedural steps necessary to implement effective supplementary measures

As the controller, the customer has the ultimate responsibility to ensure that the risks involved in transferring and processing European personal data in/to the US do not impinge on its ability to comply with its obligations under the SCCs (as data exporter) or to ensure that individuals' rights remain protected.

The information provided in this document, including Tealium's practical experience dealing with government requests and the technical, contractual, and organizational measures Tealium has implemented to protect customer personal data, is intended to assist customers with that assessment.

Step 6: Re-evaluate at appropriate intervals

Tealium will review and, if necessary, reconsider the risks involved and the measures it has implemented to address changing data privacy regulations and risk environments associated with transfers of personal data outside of Europe.

Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents current Tealium product offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Tealium and its affiliates, suppliers or licensors. The responsibilities and liabilities of Tealium to its customers are controlled by Tealium agreements, and this document is not part of, nor does it modify any agreement between Tealium and its customers.
9605 Scranton Rd. Ste. 600
San Diego, CA 92121
+1 (858) 779-1344
By submitting this form, you agree to Tealium's Terms of Use and Privacy Policy.
9605 Scranton Rd. Ste. 600
San Diego, CA 92121
+1 (858) 779-1344
Solutions
Products
Resources
Company
Industries
Partners
Support
Legal