At New Relic we take the privacy and security of our customers’ data seriously. This FAQ guide is designed to assist you when completing our Data Processing Addendum (“DPA”) which New Relic makes available to its customers.
EU-U.S. Data Privacy Framework (DPF)
Please note that as of November 8, 2023, the New Relic DPA has been modified to reflect New Relic’s certification under the EU-U.S. Data Privacy Framework. The Data Privacy Framework (including the Swiss-U.S. Privacy Framework and the UK Extension to the DPF) has been formally approved by the United States Department of Commerce. This means that personal data from the European Union (EU), Switzerland and the United Kingdom (UK) can be transferred from those locations by New Relic customers to New Relic in the United States (U.S.). The DPF replaces the Privacy Shield and like Privacy Shield, personal data can be transferred to companies in the U.S. who are certified under the DPF without the need to enter into additional data transfer mechanisms such as the Standard Contractual Clauses or Binding Corporate Rules (BCRs). You can read more about New Relic’s certification here.
Data Privacy Framework
Some questions you might have about this new Data Privacy Framework and the New Relic DPA:
I am a new New Relic customer sending personal data from the EU, Switzerland and/or the UK to the New Relic services in the U.S., how do I ensure the transfer is covered by the DPF?
All you need to do is download the New Relic DPA and follow the instructions. The DPA incorporates the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension to the DPF and so they will apply automatically for data transfers to the U.S. for all our customers without the need to enter into an additional transfer mechanism. We have also included the 2021 SCCs as the fall back transfer mechanism in the event that the DPF is invalidated or otherwise no longer applies.
I am an existing New Relic Customer sending personal data from the EU, Switzerland and/or the UK to the New Relic services in the U.S. - does the Data Privacy Framework apply to my relationship with New Relic?
If you are a New Relic customer sending personal data from the EU, Switzerland and/or the UK to the New Relic services in the U.S. and have signed a Data Processing Addendum with New Relic, you do not need to take any action. The EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension to the DPF apply automatically for data transfers to the U.S. from all our customers without the need to enter into an additional transfer mechanism. The DPF is deemed to offer an adequate level of protection for personal data and means New Relic’s certification under the DPF removes the need for an additional transfer mechanism. For existing customers who signed an older version of the New Relic DPA with the 2021 SCCs as the transfer mechanism for transfers to the U.S., you may wish to update to the new DPA, that specifically references the DPF, in which case you will just need to download it and follow the instructions.
What happens if the Data Privacy Framework is invalidated?
The New Relic DPA takes into account the possibility that the Data Privacy Framework could be revoked and/or invalidated in the future. If this were to occur, we have designed our DPA in a way that you would automatically be covered by the 2021 Standard Contractual Clauses, which are a valid transfer mechanism for international data transfers.
Does the Data Privacy Framework apply to all customers?
Yes, if you are using the New Relic Services to transfer personal data out of the EEA, Switzerland and/or the UK, then the 2021 SCCs and the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension may apply as the data transfer mechanism.
Standard Contractual Clauses
What other data transfer mechanism does New Relic use?
The Data Privacy Framework (EU-U.S. and Swiss-U.S.), along with the UK extension, is just one of the various mechanisms for transferring personal data. Since the invalidation of the Privacy Shield (the old DPF equivalent), New Relic has incorporated the Standard Contractual Clauses (2021 SCCs) pursuant to the European Commission's Implementing Decision 2021/914 of 4 June 2021 for transfers from the European Economic Area (EEA) and Switzerland and the UK Addendum to the EU Standard Contractual Clauses for transfers from the UK (UK SSCs). The 2021 SCCs and the UK SCCs remain incorporated in the New Relic DPA, and are a valid mechanism for other international transfers.
What are the new Standard Contractual Clauses (“SCCs”)?
The 2021 SCCs replace the existing SCCs for Controller to Processor transfers approved by the European Commission in decision 2010/87/EU. The 2021 SCCs take into account more complex data processing operations that have since evolved and which were not envisaged by the 2010 SCCs. There are 4 different modules contained within the 2021 SCCs so they can be tailored specifically to reflect the type of transfer being made- e.g. where it involves a transfer of personal data from a processor to a (sub)processor. The 2010 SCCs have not been valid since September 27, 2021. The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland has also recognised the 2021 SCCs as a valid transfer mechanism for transfers from Switzerland subject to an accompanying Swiss Addendum which has been incorporated into the New Relic DPA.
Regarding the 2021 SCCs, which Module is applicable?
New Relic may process personal data transferred by a New Relic customer, for which New Relic may be acting as a processor (where the customer is a controller of that data) or a sub-processor (where the customer is a processor of that data). Therefore the updated DPA contains both Module 2 (controller to processor transfers) and Module 3 (processor to processor transfers) of the 2021 SCCs.
The United Kingdom and Brexit- do the SCCs and the GDPR still apply to the UK?
The GDPR has been retained in domestic law in the United Kingdom- the ‘UK GDPR’ and will sit alongside the UK Data Protection Act 2018 (as amended). The transfer of personal data from the UK to the EEA and to any countries which have received a finding of adequacy by the European Commission is permissible. The UK government has confirmed that it recognizes the 2021 SCCs to facilitate the transfer of personal data from the United Kingdom to countries outside the United Kingdom and to which no ‘adequacy decision’ has been granted if used in conjunction with a UK addendum to the SCCs, e.g., the “UK SCCs”. The UK addendum was drafted by the ICO so that the 2021 SCCs can be used in the context of data transfers from the United Kingdom. The New Relic DPA has also been updated to reflect this position, that is- the 2021 SCCs are recognised as a lawful data transfer mechanism for transfers outside the UK, subject to the completion of the UK addendum.
Existing Customers that want to incorporate the EU-U.S Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK extension
If you are an existing customer and have already signed a DPA with New Relic that incorporates the 2021 SCCs, you do not have to take any action..
New Customers
All new customers should sign the New Relic DPA which makes reference to the EU-U.S Data Privacy Framework, the Swiss-U.S. Data Privacy, and the UK extension and incorporates the 2021 SCCs (including UK SCCs).
For more information on how New Relic processes personal data, please see our General Data Privacy Notice.
For more information on GDPR and New Relic, please see our GDPR FAQ.
For more information on New Relic’s security practices, please see our Security Policy.
1. What is a DPA and do I need to sign New Relic’s DPA?
- A Data Processing Addendum (“DPA”) is a legally binding document entered into by a controller and a processor and regulates the particularities of data processing. Article 28(3) of the General Data Protection Regulation (“GDPR”) requires that controllers, processors and sub processors must enter into written contracts or DPAs in order to share personal data.
- If your company is subject to the GDPR and/or the UK GDPR and you are transmitting personal data to the New Relic services for processing, then you should sign New Relic’s DPA and then follow the instructions set out at Section 6 below.
2. Who is the controller and who is the processor?
The customer acts as the controller with respect to personal data they submit via the New Relic agent to the New Relic service for processing. New Relic acts as the processor. When acting as a data processor on behalf of customers, New Relic follows the instructions of the customer - a customer sends personal data through the service and New Relic processes what is sent. New Relic do not exercise professional judgement or make independent decisions about the data that it receives from customers.
3. Why can my company not use its own DPA?
The New Relic DPA is tailored to reflect New Relic’s service offering and its multi-tenant environment. It sets out the specialized processes and procedures in relation to New Relic’s obligations as a data processor under GDPR/UK GDPR. The New Relic DPA addresses the relevant GDPR requirements related to the scope and confidentiality of data processing, the security measures in place to ensure the security of customer data, the data breach notification process, and our audit and subprocessing activities. These all correlate to the way in which New Relic’s unique services and its multi-tenant infrastructure operate. New Relic’s DPA outlines our commitment to our obligations under the GDPR Article 28(3) processor terms sequentially and refers to the specific GDPR provision that each section of the DPA covers.
4. What about the main agreement between the parties?
- The New Relic DPA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement.
- Customers who signed a previous version of the New Relic DPA, or who previously entered into an agreement without signing a DPA, can sign our current DPA with the 2021 SCCs at any time. Please note that any previous data processing agreement for New Relic services entered into between the parties is terminated upon signature of the current New Relic DPA with the 2021SCCs by customer.
5. How does New Relic meet its obligations under GDPR?
New Relic has both a dedicated security and privacy team within our organisation who are passionate about delivering and maintaining a world class security/privacy program to ensure we are GDPR compliant.
- We will keep your data confidential: All of New Relic’s staff who have access to our customers’ data are committed to confidentiality as part of their terms of employment with New Relic.
- We keep your data safe and secure: At New Relic, the security of your data is of the utmost importance to us. Our information security team continues to ensure that we are in line with industry standards and best practices for all data processing.
- We have implemented robust technical and organisational measures to assist our customers in meeting their compliance needs: At New Relic we know that our customers are subject to compliance obligations under GDPR with regard to the fulfilment of data subject requests and data protection impact assessments. As your data processor, we are happy to assist so that you meet these obligations and we have devised our own internal technical and organisational policies and processes to enable us to do this efficiently and effectively.
- We will only use approved sub-processors: All of our sub-processors undergo rigorous security and privacy assessment from our security and privacy team and we will always provide you with advance notification when we want to add a new sub-processor. You can be assured that we conduct thorough due diligence prior to onboarding and that we ensure we have the appropriate contractual provisions in place. At all times New Relic remains liable for the acts of our sub-processors.
- We will assist you in the event of a data breach: If a data breach occurs at New Relic and your data is affected, we will notify you in time for you to meet your data breach notification to the supervisory authority and we will provide you with details of the breach in order for you to assess the impact it may have upon your organisation.
- We will provide you with the information you require so that you can satisfy yourself that you are choosing a GDPR compliant service provider: So that we may meet our obligations to you, we are happy to provide answers to information security and audit questionnaires that will confirm New Relic’s compliance with its obligations as a data processor.
6. How can I execute the New Relic DPA?
The New Relic online DPA is pre-signed by New Relic. Where a customer is signing New Relic’s online DPA, the customer may download the DPA from our website here and then sign and return the DPA to dataprivacy@newrelic.com. Please note that this process only applies to situations where the DPA is being signed in isolation. Where a customer signs the DPA as part of their agreement with New Relic, it will not need to follow this process or return it to dataprivacy@newrelic.com .
7. What is contained within the exhibits to the New Relic DPA?
- Exhibit 1 sets out the details of the processing undertaken by New Relic, including the types of data and data subjects.
- Exhibit 2 contains a link to the New Relic security documentation.
8. I would like to ask some questions that are not answered in this guide
For any additional information you require, you may contact your Account Executive who will be happy to assist you.