This document provides information in connection with customers’ use of Databricks products and services (Databricks’ Services) to assist in conducting a transfer impact assessment of customer personal data from the European Economic Area, United Kingdom or Switzerland ("Europe") in light of recommendations from the European Data Protection Board ("EDPB"). It also describes the supplementary measures that we offer to protect customer personal data.

For more information on the Schrems II ruling and EDPB Recommendations please visit this page.

Step 1. Know your transfer - Mapping transfers to Databricks

Databricks’ Services are offered globally, and in limited circumstances, may involve transfers of personal data. Under certain global privacy laws, including Europe, personal data cannot be transferred outside the European Economic Area (“EEA”) (i) the importing country has been deemed by the respective privacy authorities in the jurisdiction to have an adequate level of protection and therefore personal information can flow freely without any further transfer mechanism, or (ii) the data exporter has appropriate safeguards in place to ensure that the personal data transferred is subject to an adequate level of data protection.

Where Databricks processes personal data governed by European data protection laws as a data processor (on behalf of our customers), Databricks complies with its obligations under its customer Data Processing Addendum ("DPA").

The Databricks customer DPA provides a description of Databricks’ processing of customer personal data (Exhibit A) and description of Databricks’ security measures.

Is customer personal data transferred to Subprocessors?

Yes. The subprocessors relevant to an individual customer will ultimately depend on which cloud you select to operate the Databricks Services on, as well as specific functionalities within the Databricks Services that you choose to use. A list of our Subprocessors (and their purpose and location), as well as an email subscription where you can stay up-to-date on changes, is available here.

Databricks has implemented appropriate safeguards so that customer personal data remains protected whenever it is processed by our Subprocessors, including entering into data processing agreements and transfer mechanisms (such as the Standard Contractual Clauses (SCCs)) and implementing supplementary measures as described below. Databricks also has a process in place to review the privacy and security controls for Subprocessors that have access to customer personal data.

Step 2: Identify the transfer tool relied upon

How does Databricks legalize, and also help its customers legalize, transfers of personal data outside of European Economic Area?

Standard Contractual Clauses: When transferring data to a jurisdiction not benefitting from an adequacy decision, Databricks currently relies on the implementation of SCCs and supplementary measures for international data transfers. The SCCs are a legally valid mechanism for the transfer of data to a third country. Exporting controllers and processors must conduct transfer impact assessments for transfers to the U.S. or to any third country when relying upon the SCCs. The most recent set of SCCs are those pursuant to Regulation 2016/679 and were released in 2021 (“2021 SCCs”) available here. The 2021 SCCs are incorporated in the Databricks Data Processing Addendum available here. If you have an existing DPA with Databricks, you can amend it to include the 2021 SCCs by using our self-serve amendment.

Where customer personal data originating from Europe is transferred between Databricks group companies or transferred by Databricks to third-party subprocessors, Databricks enters into SCCs with those parties and other supplementary measures as applicable.

Adequacy and the EU-US Data Privacy Framework: The European Commission recently adopted its adequacy decision of the EU-US Data Privacy Framework for transfers of personal information to the United States. On the basis of the adequacy decision, personal data can flow freely from the EU to companies in the United States that participate in the EU-US Data Privacy Framework. Databricks is currently Privacy Shield certified, and plans to update its processes for EU-US transfers to adhere to the principles of the new EU-US Data Privacy Framework as transfer mechanism. To learn more about the EU-US Data Privacy Framework and Corresponding Executive Order, visit this page.

Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer

What is Databricks practical experience dealing with government access requests?

To date, Databricks has not received any government request for access to customer data and is not aware of any governmental unauthorized access, and Databricks has not provided such data to governments. Further, Databricks has not provided backdoors to any government. Databricks has law enforcement procedures in the event we receive a request.

Does Databricks publish a transparency report?

As noted above, Databricks has never received a request from a government authority to access customer personal data or customer account information. If we ever receive such a request, we will begin publishing transparency reports.

Step 4: Identify the supplementary measures applied to protect the transferred data.

In addition to the SCCs, Databricks offers a number of supplementary measures to ensure that customer personal data remains protected when it is transferred outside Europe. These measures include:

• a comprehensive security program designed to protect your data and workloads, including capabilities such as encryption, network controls, data governance and auditing. Our security measures are set out in the Security Addendum that is standard in our customer agreements and data processing addendums;
• internal organizational policies and processes to address government access requests and ensure customer personal data remains protected wherever it is processed; and
• rigorous contractual commitments regarding the measures we take to protect customer personal data and help customers address their obligations under the GDPR.
  • SCCs: Databricks’ customer DPA incorporates the 2021 Standard Contractual Clauses to transfer customer personal data to countries outside Europe where necessary to provide the Databricks’ Services.
  • Processing in accordance with instructions: Databricks commits to processing customer personal data in accordance with the customer's instructions as necessary to provide the Databricks’ Services.
  • Audits: Databricks will perform annual audits of our security measures according to ISO and SOC standards or substantially equivalent standards, as detailed in our Trust Center.
  • Subprocessors: Databricks enters into written agreements with our Subprocessors that include data protection and security measures consistent with the measures we offer our customers.

How can I obtain further information?
To help you further perform your transfer impact assessment and understand how you can address your data protection requirements, we encourage you to read the Data Processing Addendum, Security and Trust Center and Security Addendum, as well as Documentation for details specific to your chosen cloud environment. If you have any questions regarding these documents, please contact [email protected].

---

Legal Notice: Customers are responsible for making their own independent assessment of the information in this document. This document: (a) is for informational purposes only, (b) represents Databricks’ current products and services, which are subject to change without notice, and (c) does not create any commitments or assurances from Databricks and its affiliates, suppliers, or licensors. The responsibilities and liabilities of Databricks to its customers are controlled by Databricks agreements, and this document is not part of, nor does it modify, any agreement between Databricks and its customers.

Last updated: July 27, 2023