Last updated: May 25, 2022
What is a Data Processing Agreement?
Stripe offers Business Users (also known as Stripe users) a Data Processing Agreement (“DPA”) which governs the relationship between the Business User (acting as data controller) and Stripe (acting as data controller and data processor). The DPA is supplemental to, and forms an integral part of, the Stripe Services Agreement between Stripe and a Business User.
What are Standard Contractual Clauses?
The Standard Contractual Clauses (“SCCs”) are a data transfer mechanism issued by the European Commission that organisations can use for cross-border data transfers outside the EU and the UK. The SCCs are required by the EU data protection law (known as the GDPR).
If you are a Business User, we offer the modernised SCCs published in 2021 (“EU SCCs”) for cross-border transfers outside of the EEA and Switzerland. If you have signed an older version of the SCCs, these will remain valid until 27 December, 2022.
Following Brexit, the older versions of the SCCs (being the SCCs approved by the European Commission under the pre-GDPR regime) will continue to apply to transfers of personal data from the UK (“Original SCCs”).
Does Stripe offer the UK Addendum or International Data Transfer Agreement?
On 21 March 2022, the Information Commissioner’s Office’s International Data Transfer Agreement and the much-expected amended Addendum to the EU SCCs came into force in the UK.
Stripe is committed to having appropriate safeguards and measures in place to accommodate international data transfers. We are currently reviewing the documents and we will be implementing the appropriate transfer tool across Stripe contracts (where applicable) in the near future.
If the Original SCCs are in place between Stripe and your business, these remain valid for transfers outside of the UK until 21 March, 2024. We will offer the UK Addendum by 21 September, 2022 at the latest. We will share updates and guidance to Business Users here shortly.