At BlackLine, we're entrusted to protect the security and privacy of our customers' data, and it's a top priority. We continuously monitor the global privacy landscape and adapt our privacy program accordingly. Whether it is the European Union's GDPR, California's new privacy law (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), or the United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act (UK GDPR), we are here to assist our customers on their privacy compliance journeys. This page describes how we support privacy compliance.
The California Consumer Privacy Act (CCPA) is a data privacy law that provides California consumers with a number of privacy protections, including right to access, delete, and opt-out of the “sale” of their personal information. Starting January 1, 2020, businesses that collect California residents' personal information and meet certain thresholds (e.g., revenue, volume of data processing) will need to comply with these obligations. The California Privacy Rights Act (CPRA) is a data privacy law that amends and expands upon the CCPA. The law takes effect on January 1, 2023. You can find more information about your responsibilities as a business under the CCPA on the California Office of the Attorney General's website.
GDPR stands for "General Data Protection Regulation". The full name of the Regulation is "Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation)". If you think that's a long title, check out the regulation itself which is almost 90 pages long: European Union Official Website. The GDPR is a comprehensive data protection law that took effect on May 25, 2018. The GDPR regulates the use of personal data of EU residents and provides individuals rights to exercise control over their data. Under the GDPR, any EU data subject may at any time request a copy of all of their personal data that is handled by an organization. The data subject may also request deletion of their personal data (with some exceptions). To allow for this right to be effectively exercised in practice, the GDPR contains strict, detailed rules regarding the handling of personal data. In particular, an organization handling personal data needs to know where a subject's personal data is being processed and held at any given time.
GDPR also underscores the principle that processing of personal data should be limited to the extent possible. In addition, systems and processes that touch personal data must be designed to minimize the use of personal data and to provide the best possible protection.
Many of these rights existed prior to GDPR, with each EU member state largely regulating data privacy on their own. GDPR aims at harmonizing across the EU the rights of EU residents with respect to their personal data.
Who does GDPR apply to?
GDPR applies to anyone handling personal data in the EU. GDPR also applies to anyone outside the EU who handles personal data of an EU resident. For example, a Canadian company with no offices in the EU will fall under the GDPR rules if it handles personal data (e.g., name, address, phone number) of potential clients in, say, Belgium.
What is "Personal Data"?
The definition of personal data is very broad under the GDPR and includes any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be directly or indirectly identified by the information. Obvious examples include name, address or private telephone numbers. However, the broad definition also includes, but is not limited to, log-in credentials, connection data to email servers and IP addresses.
How does GDPR apply to BlackLine's services?
BlackLine is subject to the GDPR because we a) operate globally with a significant client/user base located in the EU, and b) we process information regarding our clients, employees, vendors and others. As a cloud software provider, we store client data on our systems that clients upload to optimize their accounting and financial closing processes. Under this system of "bring your own data" (where BlackLine does not itself upload client data), we cannot know for certain if client uploaded data contains any "personal data" within GDPR's broad definition. Nonetheless, we are operating on the assumption that client data will contain personal data of EU subjects and that by storing it on our servers we effectively become "processors" under and subject to the GDPR. BlackLine is therefore fully committed to be GDPR compliant with respect to the hosted services we provide and the client data we store.
The Data Protection Act 2018 is the UK's implementation of the GDPR (UK GDPR). The UK GDPR is a comprehensive data protection law that regulates the use of personal data of UK residents and provides individuals rights to exercise control over their data.
BlackLine offers a Data Processing Addendum (DPA) to its customers here. The DPA is an agreement that sets out the legal framework under which BlackLine processes personal data. The DPA covers all of BlackLine’s services. The DPA is an addendum or exhibit to BlackLine’s Master Subscription Agreement (“MSA”).
The majority of the DPA applies to customers regardless of their connection to the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”) (together, “Europe”). Most of the commitments in the DPA are general privacy-related commitments that are not specific to European laws.
Although the DPA uses certain terminology from specific laws, e.g. Controller and Processor from the GDPR, it covers customers globally and sets out relevant legal obligations and commitments related to the processing of personal data.
It is for you to determine whether you act as a Controller or a Processor in uploading personal data to BlackLine’s Hosted Service. In both scenarios, BlackLine acts as a Processor and processes such personal data only in accordance with your documented instructions and the MSA.
BlackLine’s Master Subscription Agreement (MSA), which incorporates the DPA, can be found here.
BlackLine undergoes several independent third-party audits on a regular basis. Some of the key international standards we are audited against are:
ISO/IEC 27001 (Information Security Management)
ISO/IEC 27017 (Cloud Security)
ISO/IEC 27018 (Cloud Privacy)
ISO/IEC 27701 (Privacy Information Management)
SSAE 18/ISAE 3202 SOC 1 Type 2, SOC 2 Type 2 & SOC 3
For more information about BlackLine's independent third-party audits and approach to security, please review the information available here.
BlackLine maintains appropriate technical and organizational measures to protect Customer Data. Please also see BlackLine's dedicated security page detailing our compliance certifications and attestations available here.
What is a transfer mechanism?
Under European privacy laws, personal data cannot be transferred outside of Europe unless the importing country has been deemed adequate by the relevant governmental body, or the data exporter has appropriate safeguards in place to ensure that the personal data transferred is subject to an adequate level of data protection. The “appropriate safeguards” include transfer mechanisms such as standard data protection clauses (i.e. the Standard Contractual Clauses) or binding corporate rules.
What is Privacy Shield?
The EU-U.S. Privacy Shield framework was designed by the U.S. Department of Commerce and the European Commission to provide U.S companies with a mechanism to comply with European data protection requirements when receiving personal data from the EU. The framework was later adopted by the rest of the EEA, and the U.S. later reached a similar agreement with Switzerland.
In July 2020, the Court of Justice of the European Union invalidated the EU-US Privacy Shield framework. As a result, Privacy Shield is no longer an appropriate safeguard for the purposes of legitimizing the transfer of personal data outside of the EEA or the UK. The Federal Data Protection and Information Commissioner (the Swiss supervisory authority) subsequently followed suit and invalidated the Swiss-US Privacy Shield. Where BlackLine has previously relied on Privacy Shield for any such transfers, we have moved to other regimes, such as the Standard Contractual Clauses.
Which transfer mechanisms does BlackLine offer in its DPA?
BlackLine’s DPA incorporates the EU Commission Standard Contractual Clauses published in 2021 (“SCCs”), the International Data Transfer Addendum to the SCCs issued by the United Kingdom Information Commissioner and includes a Swiss Addendum to the SCCs (collectively, “EU Transfer Mechanisms”).The SCCs are legal contracts entered into between contracting parties who are transferring personal data outside of Europe to countries that have not been deemed adequate. The original controller to processor Standard Contractual Clauses were drafted and approved by the European Commission in 2010. In June 2021, the European Commission published the 2021 SCCs. A copy of the 2021 SCCs is included in the DPA and you can also find additional information on the 2021 SCCs on the official website of the European Commission.
Can European Personal Data be Transferred to the US?
Yes. In response to Schrems II, the European Data Protection Board (EDPB) has made clear that the Standard Contractual Clauses remain valid data transfer mechanisms. As the EDPB states in its guidance, however, transfer mechanisms do not operate in isolation, and may need to be paired with supplementary measures that enhance protection of personal data.
What is a Transfer Impact Assessment?
BlackLine's DPA now incorporates the 2021 SCCs. In response to the heightened requirements created by the Schrems II decision, the 2021 SCCs require a data importer (such as BlackLine) to provide specific information about data transfers it undertakes, and requires importers to conduct a transfer impact assessment (TIA) to evaluate risks involved with the transfer of personal data to countries outside of Europe. The SCCs also require a data importer to take into account any supplemental technical and organizational security measures. BlackLine’s TIA addresses the Schrems II decision and associated EDPB recommendations 01/2020 and how our latest DPA addresses them. BlackLine’s Transfer Impact Assessment for customers is located here.