We are committed to strong privacy and security protections for customer data that is entrusted to us.
Autodesk will continue to use Standard Contractual Clauses (SCCs), which remain valid under the recent Schrems II decision by the European Court of Justice, as a legal mechanism for transferring personal data of its customers from the EEA to the U.S. or other applicable jurisdictions. We have recently revised our Data Processing Agreement (DPA) with the new EU Standard Contractual Clauses.
We also offer on request to customers ‘Supplementary Measures’ – these are technical and operational measures (including encryption and review of government requests for access to data) to provide data protection controls for our data transfers from the EU.
Autodesk has also adopted Binding Corporate Rules (BRCs) for controller and processor data transfers that have been approved by the Irish Data Protection Commission.
Autodesk has self-certified and we are officially part of the new Data Privacy Framework. The EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF were respectively developed by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration to provide U.S. organizations with reliable mechanisms for personal data transfers to the United States from the European Union, United Kingdom, and Switzerland while ensuring data protection that is consistent with EU, UK, and Swiss law.
Autodesk has compiled a whitepaper (Data Transfer Whitepaper) documenting how it complies with EU data transfer requirements.