Cross-border data transfers

How does Adobe transfer your personal information?

For our individual users and customers whose use of Adobe websites and apps results in the transfer of personal information from the European Economic Area (EEA), the United Kingdom, or Switzerland to non-EEA countries, we rely on one or more of the following legal mechanisms: Standard Contractual Clauses, the European Commission's adequacy decisions about certain countries, as applicable, and consent of the individual.

Adobe Systems Software Ireland has also conducted detailed Transfer Impact Assessments and have summarised them into a customer facing version here: https://www.adobe.com/privacy/adobe-transfer-impact-assessment.html

For our individual users and customers whose use of Adobe websites and apps results in the transfer of personal information from Japan to other countries, we rely on one or more of the following legal mechanisms: the Japanese Personal Information Protection Commission (JPIPC)’s adequacy decisions about the personal information protection system of the European Union and the United Kingdom, the JPIPC’s rule of the standard of ensuring the implementation of measures in line with the purport of the provisions under Chapter IV, Section 2 of the Act of the Protection of Personal Information of Japan (APPIJ) by an appropriate and reasonable method, as applicable, and consent of the individual.

Additional information about Adobe’s privacy practices relating to our individual users and customers is available in the section of the Adobe Privacy Center titled “What does Adobe do with your personal information?”

How does Adobe transfer personal information on behalf of our business customers?

For our business customers whose use of Adobe solutions involves the processing of personal information from the EEA, the United Kingdom, or Switzerland, Adobe Systems Software Ireland Limited (Adobe Ireland) processes your personal information and may transfer it to Adobe entities in non-EEA countries, such as Adobe Inc. (Adobe U.S.). Where it does so, Adobe relies on Standard Contractual Clauses (SCCs) and adequacy decisions about certain countries, as applicable, and has entered into SCCs between its relevant entities to cover these transfers. We have also prepared a Data Processing Agreement (DPA) to cover the processing of EU personal information of our business customers. If you are an Adobe business customer (with Enterprise Licensing) and want to enter into a DPA with Adobe, please request those documents from us.

For our business customers whose use of Adobe solutions involves the processing of personal information from Japan, Adobe Systems Software Ireland Limited (Adobe Ireland) processes your personal information and may transfer it to Adobe entities in non-EEA countries, such as Adobe Inc. (Adobe U.S.). Where it does so, Adobe relies on the JPIPC’s adequacy decisions about the personal information protection system of the European Union and the United Kingdom, the JPIPC’s rule of the standard of ensuring the implementation of measures in line with the purport of the provisions under Chapter IV, Section 2 of the APPIJ by an appropriate and reasonable method, as applicable.

Additional information about Adobe’s privacy practices in relation to our business customers is available in the section of the Adobe Privacy Center titled “What do Adobe’s business customers do with your information?”

Adobe Data Privacy Framework certification

Adobe and its U.S. subsidiaries Marketo Inc., Magento (X-commerce, Inc.) and Workfront Inc. comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. Adobe has also certified to the US Department of Commerce that it adheres to EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF (as do its U.S. subsidiaries Marketo Inc., Magento (X-commerce, Inc.) and Workfront Inc.). Adobe has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (as do its U.S. subsidiaries Marketo Inc., Magento (X-commerce, Inc.) and Workfront Inc.). In the context of an onward transfer, Adobe has responsibility for the processing of personal data it receives under the DPF and subsequently transfers to a third party acting as an agent on our behalf. Adobe remains liable under the DPF if our agent processes such personal data in a manner inconsistent with the DPF, unless Adobe can prove that we are not responsible for the event giving rise to the damage. The United States Federal Trade Commission has jurisdiction over Adobe’s compliance with the EU-U.S. DPF and the UK Extension to the EU-US DPF, and the Swiss-U.S. DPF. If there is any conflict between the terms in the Adobe Privacy Policy or this policy sub-page and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

You can request a copy of these DPF mechanisms using the contact form in our Privacy Center. For inquiries regarding the scope of our DPF certification:

• Direct any inquiries or complaints concerning our Data Privacy Framework compliance by sending our Privacy enquiry form.
• In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Adobe and its U.S. subsidiaries Marketo Inc., Magento (x-commerce, Inc.) and Workfront Inc. commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to the ANA DPF Dispute Resolution service, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.ana.net/content/show/id/accountability-dpf-consumers for more information or to file a complaint. The services of ANA are provided at no cost to you.
• If neither Adobe nor our dispute resolution provider resolves your complaint, you may be able to engage in binding arbitration through the Data Privacy Framework Panel. See Annex I of the EU-U.S. Data Privacy Framework Principles for details.

As described in the Privacy Policy, for individual users who reside outside of North America, your relationship is with Adobe Systems Software Ireland Limited, which is the “data controller” with regard to EU personal information collected by Adobe. Your personal information may be transferred to other Adobe entities, as described above.

With respect to personal information processed on behalf of our EEA, United Kingdom, and Swiss business customers under EU privacy laws, Adobe Systems Software Ireland Limited (Adobe Ireland) is generally considered a “data processor.” For example, an EEA business customer may use Adobe Sign to process documents containing names, email addresses, and other personal information about its end customers. As part of Adobe providing services to the business customer, Adobe Ireland may transfer this personal information of end customers to other Adobe entities under Standard Contractual Clauses, as described above.

The primary locations where Adobe handles and oversees your personal data are the US, Ireland, and India. We also transfer personal data to other countries where our affiliates, providers, and partners operate, always following privacy laws. When personal data is transferred to countries or territories that are not recognized under applicable law as offering an adequate level of data protection, to keep your data secure and follow regulations, we use data transfer agreements and other legal and technical safeguards for protection.