🇪🇺

Transfer Impact Assessment Information

💡
This page provides information and resources to assist Notion customers with completing their transfer impact assessments. This page is for informational purposes only. Notion may update or change this page at any time and will update the Last Updated date below when updates or changes are made.

Overview

Schrems II

In the European Court of Justice’s ruling in the “Schrems II” case (Data Protection Commissioner v. Facebook Ireland and Maximillian Schrems, Case C-311/18), the Court of Justice of the European Union (”CJEU”) invalidated the EU-U.S. Privacy Shield as a cross-border data transfer mechanism on the grounds that U.S. government surveillance laws do not provide privacy protections that meet EU standards.
The CJEU also determined that transfers of EEA personal data to third countries under the EU Standard Contractual Clauses require an evaluation of whether the government surveillance laws in the recipient country provide privacy protections that meet EU standards. If protections under local laws alone are found to be insufficient, data exporters are required to identify supplementary measures for protecting the personal data that would be sufficient to meet EU standards. The European Data Protection Board has issued recommendations instructing companies to implement such supplementary measures, including conducting transfect impact assessments.

U.S. Laws

The CJEU identified two U.S. government surveillance laws as impairing the protection of EU personal data processed in the U.S.: FISA 702 and EO 12333.

FISA 702

Section 702 of the Foreign Intelligence Surveillance Act (”FISA 702”) is a U.S. statute that enables the federal government to require that companies disclose data about individuals located outside of the United States for foreign intelligence purposes. FISA 702 establishes an independent court called the Foreign Intelligence Surveillance Court that reviews and approves government orders for data collection requests.

EO 12333

Executive Order 12333 (”E.O. 12333”) is a directive to U.S. government intelligence agencies to conduct intelligence collection activities. EO 12333 does not itself authorize U.S. government agencies to compel the disclosure of data. EO 12333 must rely on a statute, such as FISA 702 to collect data.

How do FISA 702 and EO 12333 apply to Notion?

FISA 702 applies to “Electronic Communications Service Providers.” This term is defined broadly and includes remote computing service providers. Because of this broad definition, it’s possible that Notion technically could be subject to FISA 702, as would most U.S.-based SaaS companies.
However, according to a white paper issued by the White House in 2020, the U.S. government focuses its requests for information under FISA 702 on communications data. The white paper states that most companies do not process the types of data that are of interest to the U.S. government. It states that most companies have never received orders to disclose data under FISA 702 and have never disclosed data to U.S. intelligence agencies.
In practice, it is unlikely that FISA 702 would apply to Notion. Notion does not process communications data and is not a telecommunications provider. Notion only transfers data relating to its customers using the services.
It is also unlikely that EO 12333 would require Notion to disclose data. EO 12333 does not authorize U.S. agencies to compel disclosure of data. Any such disclosure requests would need to be processed under a statute like FISA 702.

Has Notion received government data access requests?

As of the Last Updated date below, Notion has not received any requests from U.S. government agencies to obtain personal data. This includes national security requests under FISA 702 as well as requests via court orders and emergency requests.

Data Transfers At Notion

Notion may transfer EU customer personal data wherever we or our third-party service providers operate for the purpose of providing the Notion services.
In order to provide our services to you, where applicable, we transfer EU customer personal data to the United States and store the data in the United States using Notion’s third-party service providers. We transfer this data to subprocessors that help us provide the Notion services. This includes intra-company transfers to Notion affiliates.
For more information, please see
⚙️
Notion’s List of Subprocessors
which identifies the primary locations where your data is processed.
The customer personal data we process is described in our
🔒
Privacy Policy
and our
🌐
Data Processing Addendum
.

Safeguards for Transfers

Notion relies on the EU Standard Contractual Clauses for transfers of customer personal data originating in the European Economic Area to Notion.
To safeguard onward transfers of customer personal data originating from the European Economic Area to Notion’s subprocessors, Notion enters into the EU Standard Contractual Clauses with its subprocessors.

Notion’s Technical, Organizational, and Contractual Measures for Protecting Transferred Data

Technical Measures

  • Encryption: Notion uses TLS 1.2 to encrypt network traffic between users' browsers and the Notion platform. We also use AES-256 bit encryption to secure your database connection credentials and data stored at rest.
  • Security certifications: Notion has completed both SOC 2 Type 1 and SOC 2 Type 2 reports, certifying that our security policies and controls continuously meet the highest industry standards. You can read more about this here.
For more information about our technical security measures, see our Security and Privacy page.

Organizational Measures

  • Privacy Policy: Notion maintains a
    🔒
    Privacy Policy
    that describes our privacy and data protection practices.
  • Training: All Notion employees are required to complete security training.

Contractual Measures

  • Data Processing Addendum: Notion provides a
    🌐
    Data Processing Addendum
    that sets out Notion’s contractual obligations for processing EU personal data. This includes Notion’s obligations for responding to data access requests.

How Would Notion Respond to a Government Data Access Requests?

If Notion receives a document purporting to request, demand or compel the production of customer personal data to a third party that is not a data subject, Notion will provide the affected customer with notice and allow the customer an opportunity to respond, to the extent permitted by applicable laws.

Resources

More information about Notion’s privacy and security practices is available through the links below.

Notice

The information contained in this page does not create any commitments or assurances from Notion and its affiliates, suppliers or licensors. The responsibilities and liabilities of Notion to its customers are controlled by Notion agreements, and this document is not part of, nor does it modify, any agreement between Notion and its customers.
Last Updated Date: August 26, 2022