Hyland and the EU-U.S. Privacy Shield

This webpage addresses Hyland’s on-going commitment to protect the personal data of residents of the European Union (EU), Switzerland and the United Kingdom in response to the recent decision by the Court of Justice of the European Union (“CJEU”) in Schrems II.

While Schrems II invalidated the EU-U.S. Privacy Shield Framework, the CJEU’s decision reaffirmed the validity of the Standard Contractual Clauses (SCCs) as a mechanism for lawfully transferring personal data from the EU to third countries. The CJEU’s decision noted that the SCCs “may require, depending on the prevailing position in a particular third country, the adoption of supplementary measures by the controller in order to ensure compliance with that level of protection.” The European Data Protection Board (EDPB) subsequently issued recommendations (currently in draft form) on appropriate supplementary measures.

In response to Schrems II Hyland has revised its intercompany SCCs and prepared updated customer and vendor data processing agreements. Additionally, please see the FAQs below to learn more about the supplementary measures in place at Hyland to address the CJEU’s decision.


Q: How does Hyland respond to non-compulsory requests from third parties for access to customer data?
A: Hyland will not provide any third party with access to customer data unless specifically instructed to do so by the customer.

Q: How does Hyland respond to compulsory orders issued by or at the request of third parties for access to customer data?
A: Hyland will provide the third party with access to customer data only to the extent legally required. Hyland will use reasonable efforts to challenge the scope or validity of any compulsory order that Hyland reasonably believes to be overly broad.

Q: Will Hyland notify a customer if Hyland is subject to a compulsory order to provide a third party with access to customer data?
A: Yes, Hyland will notify the applicable customer prior to providing the third party with any access to customer data in response to an order, except where prohibited by law. If Hyland is legally prohibited from notifying the customer, Hyland will work to obtain a waiver of the prohibition to the extent reasonably possible, so that Hyland is able to provide advance notice. Hyland will use all reasonable efforts to cause the third party to redirect the order directly to the customer.

Q: Has Hyland provided any government with its encryption keys or knowledge about how to break its encryption keys?
A: No.

Q: Has Hyland intentionally created a back door or similar code to enable a government to perform surveillance on customer data stored within Hyland’s software?
A: No.

Q: I have a question about Hyland’s SCCs, my data processing agreement or data privacy. Who should I contact?
A: Please contact [email protected].