General Data Protection Regulation (GDPR)

The following guide provides an overview and history of the General Data Protection Regulation (GDPR) and how Recurly supports its merchants in adhering to GDPR requirements

Privacy is a fundamental right in European Union (EU)

Privacy of data is one of the fundamental rights guaranteed to European citizens under the Charter of Fundamental Rights of the European Union (2012/C 326/02), thus businesses in Europe are legally obligated to ensure they adequately protect their data under GDPR.

Brief history of US-EU lawful data transfers

In 1995, the EU passed the Data Protection Directive (DPD), which restricted European companies from sharing personal data outside of the European Economic Area (EEA) unless the recipient country had laws that provided similar data protection laws as the EU, and the data transfer occurred under binding corporate rules (BCRs) or standard contractual clauses (SCCs).

In 2000, the EU Commission approved Safe Harbor, which determined the US met the requirements of the DPD and allowed data transfers to the US. This was a lawful basis for data transfers to the US until 2015, when the European Court of Justice (CJEU) ruled it invalid due to US government having “access on a generalised basis to the content of electronic communications” in a ruling now known as “Schrems I” (after the name of the plaintiff that brought the lawsuit, Maximilian Schrems).

In 2016, a replacement for Safe Harbor was found in the form of the EU–US Privacy Shield. It also was challenged in CJEU by the same plaintiff, Maximilian Schrems and was also ruled invalid in July 2020 (known as “Schrems II”).

Since July 2020, the main way to lawfully transfer data from the EU to the US is via SCCs. This is what Recurly uses today as the lawful basis for transferring data to/from the EU.

What are Standard Contractual Clauses (SCCs)?

Standard Contractual Clauses are exactly that; contractual terms that have been pre-approved by the European Commission to be used between companies in Europe and outside of Europe to establish a lawful basis for data transfers.

Given that Privacy Shield has been invalidated, Recurly now has a Data Protection Agreement that we offer our merchants that includes the SCCs. It is public and can be found our on our website here.

Data Subject Rights

GDPR also outlines a set of fundamental data subject rights. You can read more about these rights and how to contact Recurly regarding them in our privacy policy.

Additional ways Recurly supports merchants and customers in the EU

  • Recurly offers data hosting in the EU
  • Recurly has a registered privacy agent in Europe that can accept complaints from European citizens.
    The contact information for our registered privacy agent is in our privacy policy.