Legal Basis for Processing EU Personal Information
Where SparkPost is a controller of data (e.g., when collected via the Websites or for billing purposes for Customers), the legal basis is either legitimate interest or consent depending on the type of information subject to processing and the information we receive from upstream partners. We may also process data for the performance of a contract with you. Where we rely upon legitimate interest, we have assessed the processing is not high risk, does not involve the processing of sensitive data and will not violate fundamental human rights. With respect to providing the Platform to Customers, SparkPost is a processor of data and the legal basis for processing such data is determined by each Customer.
Data Protection Addendum
While the data protection, privacy, and other laws of the United States might not be as comprehensive as those in your country, if you or your Recipients reside in the European Economic Area, we take many steps to protect your and your Recipients’ privacy, including offering a Data Protection Addendum (DPA), which is available at: https://www.sparkpost.com/policies/DPA.
Cross-Border Data Transfers
SparkPost primarily stores Personal Information in the United States and the European Union (as applicable), in the cloud, our servers, the servers of our Affiliates, or the servers of our Service Providers. To facilitate our global operations, we may transfer and access such information from around the world.
Privacy Shield Framework
SparkPost participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. We are committed to subjecting all Personal Information received from European Union (EU) member countries and Switzerland, respectively, in reliance on each Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield website: https://www.privacyshield.gov/welcome. A list of Privacy Shield participants is maintained by the Department of Commerce and is available at: https://www.privacyshield.gov/list.
We comply with the Privacy Shield Principles for all onward transfers of Personal Information from the EU and Switzerland, including the onward transfer liability provisions. SparkPost is responsible for the processing of Personal Information it receives under the Privacy Shield and subsequently transfers to a Service Provider acting as an agent on its behalf. SparkPost requires third parties and Service Providers to which it discloses Personal Information to protect Personal Information using substantially similar standards to those required by SparkPost and at least the same level of privacy protection as is required by the Privacy Shield Frameworks and this Privacy Policy. SparkPost shall remain liable under the Privacy Shield principles if its Service Provider(s) Processes such Personal Information in a manner inconsistent with the Privacy Shield principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
With respect to Personal Information received or transferred pursuant to the Privacy Shield Frameworks, we are subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
If your Personal Information was received in reliance on either Privacy Shield Framework and you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider JAMS, at no cost to you, at https://www.jamsadr.com/eu-us-privacy-shield. Under certain conditions, more fully described on the Privacy Shield website, https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration after other dispute resolution procedures have been exhausted.
EU Data Subject Rights
The General Data Privacy Regulation (“GDPR”) affords additional rights to EU data subjects. Those rights include the right to complain to EU Supervisory Authorities and the right to access, receive a copy of, correct, delete, block, and limit or object to the processing of your Personal Information processed by SparkPost. Where otherwise permitted by applicable law, you may contact us at privacy@sparkpost.com to request access to, receive, port, restrict Processing, seek rectification or request erasure of Personal Information held about you by SparkPost. Such requests will be carried out in accordance with applicable laws. Although SparkPost makes good faith efforts to provide you with access to your Personal Information, there may be circumstances in which SparkPost is unable to provide access, including for example, where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where it is commercially proprietary. If SparkPost determines that access should be restricted in any particular instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. To protect your privacy, SparkPost will take reasonable steps to verify your identity before granting access to or making any changes to your Personal Information.
Access Rights for Recipient Personal Information
As a data processor for our Customers, SparkPost Processes data in connection with the Platform, which may include Recipient Personal Information on behalf of our Customers. We will not use, share, distribute, or reference any such Recipient Personal Information except as provided in the applicable agreement between us and our Customer, or as may be required by law. If Personal Information pertaining to you as an individual has been submitted to us by a Customer as Recipient Personal Information and you wish to exercise any rights you may have to access, receive, port, restrict Processing, seek rectification, or request erasure, please inquire with the applicable Customer directly. Because SparkPost personnel have a limited ability to access Recipient Personal Information, if you wish to make your request directly to SparkPost, please provide the name of the applicable SparkPost customer as part of that request. We will refer your request to that Customer and will support them as needed in responding to your request within the timeframe required by applicable law.