Careers
Login

Engagement platform

(previously Exponea)

Content / Discovery

(previously brX)

English
Bloomreach
Bloomreach
  • Products
    Products

    Personalize marketing

    in real-time across email, sms, app, website, and more

    • Email Marketing
    • SMS & Messaging
    • Ads & Retargeting
    • Web Personalization
    • Mobile APP Marketing
    • Marketing Intelligence and Insights
    • Omnichannel Orchestration
    • Experiments & A/B testing
    • Plug & Play Use Cases
    • See All Engagement products

    E-commerce search

    and merchandising focused on maximizing revenue

    • Site search
    • Search Intelligence
    • Merchandising
    • Search APIs
    • Product Recommendations
    • SEO
    • Personalized search
    • See All Discovery products

    Build, manage and personalize

    experiences with headless CMS for every commerce platform

    • Headless Content
    • Page Building
    • Site Management
    • Content Personalization
    • See All Content products
  • Data & Integrations
    Data & Integrations
    • Customer Data Engine

      Customer data management, and advanced analytics for omnichannel personalization

    • Real-time Customer Journeys
    • Segments & Audience Builder
    • Integrations

      Explore integrations for Bloomreach products

    • Partner Agencies

      Engage with Bloomreach Partners to Help Create World-Class Customer Experiences

    • Technology Partners

      Enrich customer experiences with these vendor partners

    • Connected Commerce Platforms

      Get value faster, with simpler integration for select commerce platforms

    • Shopify
    • Magento
    • BigCommerce
  • Case Studies
  • Pricing
  • Learn
    Learn

    Resource Library

    Content and resources to help formulate and execute your digital strategy

    All Resources
    Videos
    Blog
    Analyst Reports
    Whitepapers
    Podcasts
    Webinars
    Events
    Analyst Reports
    Whitepapers
    Podcasts
    Webinars
    Events
    See All Library Resources

    Product Resources

    Get the most out of Bloomreach products with these resources

    Documentation
    ROI Calculator
    Integrations
    Email Deliverability Calculator
    Plug & Play Library
    Privacy at Bloomreach
    Bloomreach Academy
    Security
    Developers
    Bloomreach Partners
    Email Deliverability Calculator
    Plug & Play Library
    Privacy at Bloomreach
    Bloomreach Academy
    Security
    Developers
    Bloomreach Partners
    See All Product Resources

    Use Cases

    See Bloomreach in action

    Win Back Campaigns
    Personalized Email Campaigns
    Welcome Series
    Reengagement That Works
    Optimizing Category Pages
    Headless Commerce
    Reengagement That Works
    Optimizing Category Pages
    Headless Commerce
    See All Use Cases
About Us
Careers
Contact Us
Login
Get a Demo
Languages:
EN
Get a Demo

SCHREMS II AND BLOOMREACH: FREQUENTLY ASKED QUESTIONS


At Bloomreach, we’re committed to ensuring privacy principles are upheld throughout our business and that our customers have the confidence to entrust us with their data. Since the European Court of Justice issued its "Schrems II" judgment, we know that our customers have faced an additional challenge when selecting service providers located outside of Europe. We are excited to share how Bloomreach can help.

What does the Schrems II judgment mean?
Back in July 2020, the European Union's highest court delivered its “Schrems II” judgment, which invalidated the EU-US Privacy Shield Framework (a partial adequacy decision, under which the transfer of personal data from Europe to US-headquartered organisations was permitted in compliance with the General Data Protection Regulation (“GDPR”)). In particular, concerns were raised over the effectiveness of the framework in light of US surveillance laws. In the same judgment, the court confirmed that the European Commission's standard contractual clauses would remain a valid transfer mechanism. However, the court provided that such safeguards could be used only where they ensured an "essentially equivalent" level of protection for data as that guaranteed by European law.

In other words, data can still be transferred to the US, so long as the protection afforded by the transfer safeguards used are not undermined by the local laws applicable to the data importer.

What transfer safeguard does Bloomreach rely on?
Bloomreach's Customer Data Processing Addendum incorporates the 2021 Standard Contractual Clauses ("SCCs"). As noted above, the court in Schrems II provided that SCCs would remain a valid transfer safeguard; the 2021 SCCs are the latest transfer clauses published by the European Commission and address several of the concerns raised in Schrems II.

Can Customers continue to transfer data to Bloomreach? Does Bloomreach have a Transfer Impact Assessment?
As a result of Schrems II, transfers of data from Europe need to be assessed to ensure that adequate safeguards for the data are in place (taking into account local laws). This is commonly referred to as a "transfer impact assessment.” Bloomreach is happy to reaffirm our commitment to helping customers protect their data and navigate their compliance obligations when using the Bloomreach services. Accordingly, we have prepared a Transfer Impact Assessment. The outcome of our assessment is that Bloomreach can comply with the SCCs notwithstanding the potential application of certain US surveillance laws. The outcome of our assessment takes into account:

Our practical experience with relevant US surveillance laws (we have never received a request for access to personal data under the laws which formed the basis of the Schrems II judgment, nor are we aware that any US government agency has attempted to access personal data from us directly); and

Our comprehensive security measures designed to protect your data, including:
- capabilities such as layered encryption, network controls, and other access controls;
- internal organizational policies and processes to ensure data remains protected wherever it is processed;
- a dedicated internal data privacy team consisting of a Data Protection Officer, Chief Information Security Officer, and a number of Security Engineers, as well as legal professionals to monitor and ensure compliance with GDPR and local laws; and
- rigorous contractual commitments regarding the measures we take to protect data and to help customers address their obligations under the GDPR.

Is Bloomreach subject to Section 702 FISA?
Bloomreach, like most US-based SaaS companies, could technically be subject to Section 702 FISA and other US regulations. However, Bloomreach is not likely to be subject to upstream surveillance orders under Section 702 FISA, the type of order principally addressed in, and deemed problematic by, the Schrems II ruling.

Section 702 FISA requires an independent court to authorize a specific type of foreign intelligence data acquisition that is generally unrelated to commercial information. Bloomreach does not provide internet backbone services, but instead only carries traffic involving its own customers. To date, the US Government has interpreted and applied Section 702 FISA upstream orders to only target market providers that have traffic flowing through their internet backbone and that carry traffic for third parties (i.e., telecommunications carriers).

In the event that US intelligence agencies were interested in the type of data that Bloomreach processes, safeguards such as the requirement for authorization by an independent court and the necessity and proportionality requirements would protect personal data from excessive surveillance.

EO 12333 contains no authorization to compel private companies (such as Bloomreach) to disclose personal data to US authorities.

Has Bloomreach ever received a government access request?
To date, Bloomreach has never received a US National Security Request (including requests for access under Section 702 FISA) in connection with customer personal data. We are also not aware of any direct access to customer personal data under EO 12333. Based on the services we provide and the scope of data we process, we do not anticipate receiving any requests in the future.

What other recent updates apply to Bloomreach?
In October 2022, President Biden signed an Executive Order titled "Enhancing Safeguards for United States Signals Intelligence Activities", which implements the EU-US Data Privacy Framework ("EU-U.S. DPF"). The EU-U.S. DPF is anticipated to form the basis of a new partial adequacy decision for the US (i.e., Privacy Shield 2.0) and has been negotiated with the European Commission. The Executive Order outlines various principles, restrictions, and standards, which now apply to US surveillance activities and establishes a two-tiered redress mechanism for European individuals who believe that US surveillance practices have violated such standards.

The US Department of Commerce has stated that “[t]hese commitments fully address the Court of Justice of the European Union’s 2020 Schrems II decision and will cover personal data transfers to the United States under EU law, including those using Standard Contractual Clauses, Binding Corporate Rules, or a future adequacy decision for the EU-U.S. DPF."

Additionally, in its October 2022 "Q&A on the EU-US Data Privacy Framework" the European Commission explained that:
(1) The Executive Order addresses the concerns raised by the Court of Justice of the EU in Schrems II and provides a durable and reliable legal basis for transatlantic data flows; and
(2) the safeguards provided by the Executive Order are available for all transfers to the US under the GDPR, including those under the SCCs.

In Bloomreach's view, as supported by the above statements, the Executive Order signals a significant shift in US law which addresses key issues raised in Schrems II and reaffirms the SCCs as a valid transfer mechanism to the US.

Will Bloomreach become Privacy Shield 2.0 certified?
As the European Commission has confirmed, the Executive Order addresses the concerns raised by the Court of Justice of the EU in Schrems II and provides a durable and reliable legal basis for transatlantic data flows. Bloomreach is fully committed to complying with the Privacy Shield 2.0 framework and becoming Privacy Shield 2.0 certified as soon as the mechanism is in place.

What about Bloomreach's use of Google Analytics?
Bloomreach is aware that over the course of the last year, a number of European data protection authorities have publicly scrutinised the use of Google Analytics (on the basis that Google Analytics' transfer of personal data to the US is not compatible with European data protection law). Generally speaking, various European data protection authorities have found that website operators and businesses need to assess their use of Google Analytics to ensure it complies with European data protection laws and they must document the contractual, technical, and organizational measures in place to ensure data transferred to the US has equivalent protection to that offered in the EU.

In a number of cases, European data protection authorities found that the use of Google Analytics was incompatible with European data protection law, in the form it had been deployed by the businesses under review. Enforcement actions have generally been limited to formal notices requesting changes be made or the use of Google Analytics cease (as opposed to large fines).

Bloomreach has not interpreted the decisions and guidance issued by European data protection authorities as an outright ban on the use of Google Analytics, per se, however, we do understand that any use of Google Analytics may in the future be subject to regulatory scrutiny. At the time of writing, Bloomreach can confirm that the only use of Google Analytics within our services is completely optional and turned off by default.
Read Bloomreach Experience reviews on Gartner
Read reviewsSubmit review
Read reviews of Bloomreach Experience on G2
Read reviews of Bloomreach Experience on Trustradius
Read Bloomreach Experience reviews on ReacCDP
Products
  • Engagement
    Personalize marketing in real-time across email, sms, app, website, and more
  • Discovery
    E-commerce search and merchandising focused on maximizing revenue
  • Content
    Build, manage, and personalize experiences with headless CMS for every commerce platform
  • Bloomreach Products Powered by aCustomer Data Engine
Company
  • Our Story
  • Contact Us
  • News
  • Leadership Team
  • Careers
  • Experience Strategy Group
Industries
  • Fashion
  • Food & Beverage
  • Travel
  • FinTech
  • Telco
  • Pets
  • Beauty
  • Grocery
  • Distributors (B2B)
  • Manufacturers (B2B)
Product resources
  • Bloomreach Partners
  • Developers
  • Documentation
  • Integrations
  • Bloomreach Academy
  • ROI Calculator
  • Email Deliverability Calculator
  • Security
  • Privacy at Bloomreach
Learn
  • All Resources
  • Blog
  • Whitepapers
  • Webinars
  • Videos
  • Analyst Reports
  • Podcasts
  • Events
Legal
  • Terms of Service
    |
  • Privacy Policy
    |
  • Contact DPO
    |
  • Control Your Data
    |
  • Quality, Infosec, BCM policy
    |
  • UK Modern Slavery Act
© 2023 Bloomreach, Inc. All rights reserved.
E-MailLinkedInTwitterInstagramMetaYoutube