International Data Transfers via Standard Contractual Clauses

What it is

If you are in the EU, UK, or Switzerland, Calendly transfers your personal data to the United States using a legal framework called Standard Contractual Clauses, which are pre-approved contract terms meant to protect your data during the transfer.

Why it matters (compliance & governance perspective)

Cross-border data transfers to the US have been subject to significant legal scrutiny in Europe, and the adequacy of Standard Contractual Clauses depends on additional safeguards and transfer impact assessments that the notice does not detail.

Consumer impact (what this means for users)

EU, UK, and Swiss users' personal data is transferred to Calendly's US-based infrastructure, with Standard Contractual Clauses cited as the legal mechanism, though the practical protection this provides depends on implementation details not disclosed in the notice.

What you can do

Institutional analysis (Compliance & governance intelligence)

REGULATORY LANDSCAPE: This provision directly engages GDPR Chapter V governing international data transfers, including the European Commission's Standard Contractual Clauses framework updated in 2021. Following the Schrems II decision by the Court of Justice of the EU, organizations relying on SCCs must conduct Transfer Impact Assessments to verify that SCCs provide effective protection in the destination country. The relevant enforcement authorities are the applicable EU supervisory authorities and the UK ICO. GOVERNANCE EXPOSURE: Medium. Reliance on SCCs is a recognized and widely used transfer mechanism, but post-Schrems II obligations require documented Transfer Impact Assessments. Organizations using Calendly to process EU/EEA employee or customer data should confirm that Calendly has conducted and documented these assessments and that the DPA reflects the updated 2021 SCC modules. JURISDICTION FLAGS: EU/EEA and UK jurisdictions create the primary exposure. Switzerland has its own data transfer requirements under the revised Federal Act on Data Protection. Organizations with EU data subjects should ensure their vendor assessment of Calendly includes review of SCC implementation and any supplementary transfer safeguards. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request and review Calendly's Data Processing Agreement and confirm it incorporates the 2021 EU SCCs with appropriate module selection. Transfer Impact Assessments should be requested or documented as part of vendor due diligence. UK organizations should confirm whether Calendly's transfer mechanisms satisfy UK GDPR's international transfer requirements following the UK's post-Brexit framework. COMPLIANCE CONSIDERATIONS: Legal teams should assess whether their organization's use of Calendly has been covered in their Records of Processing Activities with respect to international transfers. Transfer Impact Assessments may need to be documented or updated. Any changes to Calendly's US data infrastructure or sub-processors could affect the adequacy of existing SCC arrangements.

Applicable agencies

Applicable regulations

Provision details

Other risks in this policy

• Invitee Data Collection Without Account Creation high
• Data Sharing with Advertising and Analytics Partners medium
• Calendar Content Processing medium
• California Resident Privacy Rights (CCPA/CPRA) low
• Data Retention Without Specific Timeframes medium
• Legitimate Interests as Lawful Basis for Processing medium

Related Analysis

• Meta Removed 438 Sentences From Its Privacy Policy. Here Is What Disappeared.

  ConductAtlas detected a major restructuring of Meta’s privacy policy that removed detailed consumer rights disclosures and relocated them to separate documents.

• 23andMe Is Bankrupt. What Happens to Your DNA Now?

  Your genetic data may be transferred to a new owner as a business asset. Here is what the Terms of Service actually say and what you can do right now.