Update on Bubble's GDPR compliance work

Announcements
41

yes this privacy shield… what is this??
does it mean my potential EU Customers can be confident that their EU data and privacy is not violated by being diverted to Oregon? This is a serious matter of choice…to use bubble or not. as serious fines are liable on me…
that’s my concern.

42

and please explain the concept of dedicated box. is this an on premise box ?? somewhere in my EU jurisdiction ?

sounds unnecessarily complex.
isn’t it simple for you to use a EU region and AZ ?

43

Hi Pat,

Great questions! To start, our Privacy Policy and Data Processing Addendum are updated in accordance with GDPR.

Regarding Privacy Shield: Bubble is self-certified to the EU-US Privacy Shield Framework as part of our GDPR compliance. Privacy Shield was designed to enable the compliant transfer of personal data from data controllers in the EU and Switzerland to data controllers or processors in the US. It’s a mechanism used by such companies as AWS and Google to transfer EU data to the US under GDPR. You can learn more and see our certification at https://www.privacyshield.gov.

Regarding Dedicated boxes: while Bubble doesn’t currently offer on-premise hosting, we do offer dedicating hosting, maintained by us. This is not similar to on-premise hosting, but that guarantees you your apps run on different servers. If you need servers located in Europe, a Dedicated box can address this.

44

Thanks a lot for this and the overall infos.

To be clear, as EU bubblers, can you explain us what we should mention to our users in our terms and conditions.
Do we have to write that their personnal infos could be store and host in the US ?
Do we have to make a reference to Bubble’s privacy policy and your sub-processor ? To the privacy shield.

It is not very clear what we should make explicit or not… Help on this would be much appreciated.

Thank you a lot

2 Likes
45

Hi,

Thanks for your question and for reaching out for guidance!

To level set – for the purposes of the apps that you build on Bubble, you are the Controller for your users’ data and we are the Processors, which means – among other things – that we must only process your users’ data according to your instructions, insofar as they are GDPR compliant.

To answer your questions explicitly, we can’t give you legal advice on what you need tell your users to be compliant with GDPR and any other applicable regulations. Personally, we believe in being transparent and honest, which does mean telling them that their personal info could be stored and hosted in the US, and that we would be one of your processors or sub-processors. You may want to consult with a lawyer as you set up your terms and conditions – as I mentioned, none of this should be construed as legal advice from Bubble.

Helpful links!
Take a look at the following sections of the GDPR regulation for more context:

3 Likes
46

Hello Elisa,

I’m new here. We are evaluating if we could use Bubble.io as service.
GDPR compliancy is a must-have for the app we want to build.

I’m not sure EU-US Privacy Shield Framework is enough to comply GDPR.

The judgment in the Schrems II case issued by the European Court of Justice on Thursday 16 July 2020 found that Privacy Shield is no longer a valid way to transfer personal data outside of the EEA.

https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/

Very interesting case.
https://edpb.europa.eu/our-work-tools/our-documents/other/frequently-asked-questions-judgment-court-justice-european-union_en

If we go for a dedicated plan, can we choose the server locations to be exclusively in EU without data transfer outside EU?

Thanks,
Julien

47

Hi Julien, welcome to the forum. This is a pretty old thread (I’m going to lock it for archive purposes), but you can see more discussion of the implications of the Schems II case in our latest community update (Monthly Community Update - August 2020) and in the dedicated discussion thread about it (US PRIVACY SHIELD Defunct What now?)