Cross-border data transfers

 

Last updated: 21 September 2023

 

When Adobe transfers personal information from customers across national borders, we do so in compliance with applicable law.

 

How does Adobe transfer your personal information?

For our individual users and customers whose use of Adobe websites and apps results in the transfer of personal information from the European Economic Area (EEA), the United Kingdom or Switzerland to non-EEA countries, we rely on one or more of the following legal mechanisms: Standard Contractual Clauses, the European Commission's adequacy decisions about certain countries, as applicable and consent of the individual.

Adobe Systems Software Ireland has also conducted detailed Transfer Impact Assessments and have summarised them into a customer facing version here: https://www.adobe.com/privacy/adobe-transfer-impact-assessment.html

 

For our individual users and customers whose use of Adobe websites and apps results in the transfer of personal information from Japan to other countries, we rely on one or more of the following legal mechanisms: the Japanese Personal Information Protection Commission (JPIPC)’s adequacy decisions about the personal information protection system of the European Union and the United Kingdom, the JPIPC’s rule of the standard of ensuring the implementation of measures in line with the purport of the provisions under Chapter IV, Section 2 of the Act of the Protection of Personal Information of Japan (APPIJ) by an appropriate and reasonable method, as applicable and consent of the individual.

 

Additional information about Adobe’s privacy practises relating to our individual users and customers is available in the section of the Adobe Privacy Centre titled “What does Adobe do with your personal information?”

 

How does Adobe transfer personal information on behalf of our business customers?

For our business customers whose use of Adobe solutions involves the processing of personal information from the EEA, the United Kingdom or Switzerland, Adobe Systems Software Ireland Limited (Adobe Ireland) processes your personal information and may transfer it to Adobe entities in non-EEA countries, such as Adobe Inc. (Adobe U.S.). Where it does so, Adobe relies on Standard Contractual Clauses (SCCs) and adequacy decisions about certain countries, as applicable and has entered into SCCs between its relevant entities to cover these transfers. We have also prepared a Data Processing Agreement (DPA) to cover the processing of EU personal information of our business customers. If you are an Adobe business customer (with Enterprise Licensing) and want to enter into a DPA with Adobe, please request those documents from us.

 

For our business customers whose use of Adobe solutions involves the processing of personal information from Japan, Adobe Systems Software Ireland Limited (Adobe Ireland) processes your personal information and may transfer it to Adobe entities in non-EEA countries, such as Adobe Inc. (Adobe U.S.). Where it does so, Adobe relies on the JPIPC’s adequacy decisions about the personal information protection system of the European Union and the United Kingdom, the JPIPC’s rule of the standard of ensuring the implementation of measures in line with the purport of the provisions under Chapter IV, Section 2 of the APPIJ by an appropriate and reasonable method, as applicable. 

 

Additional information about Adobe’s privacy practices in relation to our business customers is available in the section of the Adobe Privacy Centre titled “What do Adobe’s business customers do with your information?”

 

Adobe Data Privacy Framework certification

Adobe Inc. (our U.S. company) has certified to the EU-U.S. Data Privacy Framework and Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce regarding the transfer of personal information from the European Economic Area (EEA), the United Kingdom and Switzerland to the United States. To learn more about the EU-U.S. Data Privacy Framework or to view the certification for Adobe Inc., please see  https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt0000000TNo9AAG&status=Active.

 

As described in the Privacy Policy, for individual users who reside outside of North America, your relationship is with Adobe Systems Software Ireland Limited, which is the “data controller” with regard to EU personal information collected by Adobe. Your personal information may be transferred to other Adobe entities, as described above.

 

With respect to personal information processed on behalf of our EEA, United Kingdom and Swiss business customers under EU privacy laws, Adobe Systems Software Ireland Limited (Adobe Ireland) is generally considered a “data processor.” For example, an EEA business customer may use Acrobat Sign to process documents containing names, email addresses and other personal information about its end customers. As part of Adobe providing services to the business customer, Adobe Ireland may transfer this personal information of end customers to other Adobe entities under Standard Contractual Clauses, as described above.

 

Additional descriptions about how we treat personal information that was transferred are available in the following sections of the Adobe Privacy Policy:

 

If you have a question or complaint about our compliance with the Data Privacy Framework Principles, please contact us. If we do not resolve your complaint, Adobe has chosen to cooperate with a dispute resolution provider established by the Association of National Advertisers (ANA), who will hear such complaints (more information). You may also have a right to invoke binding arbitration for unresolved complaints (more information). Adobe U.S. is subject to the investigatory and enforcement powers of the FTC.

 

For information regarding our security measures, please visit the Adobe Security Centre.