At New Relic we take the privacy and security of our customers’ data seriously. This FAQ guide is designed to assist you when completing our Data Processing Addendum (“DPA”) which New Relic makes available to its customers.
New UK SCCs
Please note that as of March 21, 2022, the New Relic DPA has been updated to take into account the recognition by the United Kingdom’s government of the new Standard Contractual Clauses (“SCCs”) pursuant to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries. This is subject to the completion of an accompanying “UK Addendum to the EU Standard Contractual Clauses” issued by the ICO under s119A(1) of the United Kingdom Data Protection Act 2018, e.g., the “UK SCCs”. All new contracts entered into after September 21, 2022 should comply with the new UK SCCs. Existing contracts that use the old 2010 EU SCCs as a means of complying with the UK data protection rules for international data transfers must be replaced by March 21, 2024. Other transfers that rely on SCCs may use the new UK SCCs from March 21, 2022.
What are the new Standard Contractual Clauses (“SCCs”)?
The new SCCs replace the existing SCCs for Controller to Processor transfers approved by the European Commission in decision 2010/87/EU. The new SCCs take into account more complex data processing operations that have since evolved and which were not envisaged by the 2010 SCCs. There are 4 different modules contained within the new SCCs so they can be tailored specifically to reflect the type of transfer being made- e.g. where it involves a transfer of personal data from a processor to a (sub)processor. The 2010 SCCs remain valid for existing contracts until December 27, 2022 but will not be valid for new contracts after September 27, 2021. This means that all new contracts from September 27, 2021 must contain the new SCCs as the data transfer mechanism. The Federal Data Protection and Information Commissioner (FDPIC) in Switzerland has also recognised the new SCCs as a valid transfer mechanism for transfers from Switzerland subject to an accompanying Swiss Addendum which has been incorporated into the New Relic DPA.
Do the SCCs apply to all Customers?
If you are using the New Relic Services to transfer personal data out of the EEA and/or the UK, then the SCCs and/or the new UK SCCs will apply as the data transfer mechanism.
Which Module of the new SCCs applies?
New Relic may process personal data transferred by a New Relic customer, for which New Relic may be acting as a processor (where the customer is a controller of that data) or a sub-processor (where the customer is a processor of that data). Therefore the updated DPA contains both Module 2 (controller to processor transfers) and Module 3 (processor to processor transfers) of the new SCCs.
Existing Customers and EU Transfers
If you are an existing customer and have already signed a DPA with New Relic (which includes the 2010 SCCs), those SCCs are still valid for EU transfers until December 27, 2022. If you would like to update to the New Relic DPA with the new SCCs before that time, you can do that. Any previous data processing agreement for New Relic services entered into between the parties is terminated upon customer signing the current New Relic DPA with the new SCCs.
Existing Customers and UK Transfers
If you are an existing customer and have already signed a DPA with New Relic (which includes the 2010 EU SCCs), those SCCs are still valid for UK transfers until March 21, 2024. All New Relic DPAs downloaded from the New Relic website from September 27, 2021 and entered into, contain language at Section 5.5 which states that the old 2010 EU SCCs apply for transfers as long as they are lawfully permitted after which, the new UK SCCs will automatically apply. If you have signed an older version of the New Relic DPA and you would like to update to the New Relic DPA with the new UK SCCs before March 21, 2024, you can do that. Any previous data processing agreement for New Relic services entered into between the parties is terminated upon customer signing the current New Relic DPA with the new UK SCCs.
All new customers should sign the New Relic DPA with the new SCCs (including the new UK SCCs).
The United Kingdom and Brexit- do the SCCs and the GDPR still apply to the UK?
The GDPR has been retained in domestic law in the United Kingdom- the ‘UK GDPR’ and will sit alongside the UK Data Protection Act 2018 (as amended). The transfer of personal data from the UK to the EEA and to any countries which have received a finding of adequacy by the European Commission is permissible. The UK government has confirmed that it recognizes the new SCCs to facilitate the transfer of personal data from the United Kingdom to countries outside the United Kingdom and to which no ‘adequacy decision’ has been granted if used in conjunction with a UK addendum to the SCCs, e.g., the “UK SCCs”. The UK addendum was drafted by the ICO so that the new SCCs can be used in the context of data transfers from the United Kingdom. The New Relic DPA has also been updated to reflect this position, that is- the new SCCs are recognised as a lawful data transfer mechanism for transfers outside the UK, subject to the completion of the UK addendum.
For more information on how New Relic processes personal data, please see our General Data Privacy Notice.
For more information on GDPR and New Relic, please see our GDPR FAQ.
For more information on New Relic’s security practices, please see our Security Policy.
1. What is a DPA and do I need to sign New Relic’s DPA?
- A Data Processing Addendum (“DPA”) is a legally binding document entered into by a controller and a processor and regulates the particularities of data processing. Article 28(3) of the General Data Protection Regulation (“GDPR”) requires that controllers, processors and sub processors must enter into written contracts or DPAs in order to share personal data.
- If your company is subject to the GDPR and/or the UK GDPR and you are transmitting personal data to the New Relic services for processing, then you should sign New Relic’s DPA and then follow the instructions set out at Section 6 below.
2. Who is the controller and who is the processor?
The customer acts as the controller with respect to personal data they submit via the New Relic agent to the New Relic service for processing. New Relic acts as the processor. When acting as a data processor on behalf of customers, New Relic follows the instructions of the customer - a customer sends personal data through the service and New Relic processes what is sent. New Relic do not exercise professional judgement or make independent decisions about the data that it receives from customers.
3. Why can my company not use its own DPA?
The New Relic DPA is tailored to reflect New Relic’s service offering and its multi-tenant environment. It sets out the specialized processes and procedures in relation to New Relic’s obligations as a data processor under GDPR/UK GDPR. The New Relic DPA addresses the relevant GDPR requirements related to the scope and confidentiality of data processing, the security measures in place to ensure the security of customer data, the data breach notification process, and our audit and subprocessing activities. These all correlate to the way in which New Relic’s unique services and its multi-tenant infrastructure operate. New Relic’s DPA outlines our commitment to our obligations under the GDPR Article 28(3) processor terms sequentially and refers to the specific GDPR provision that each section of the DPA covers.
4. What about the main agreement between the parties?
- The New Relic DPA is an addendum to the main agreement between New Relic and our customer and forms part of that agreement.
- Customers who signed a previous version of the New Relic DPA, or who previously entered into an agreement without signing a DPA, can sign our current DPA with the new SCCs at any time. Please note that any previous data processing agreement for New Relic services entered into between the parties is terminated upon signature of the current New Relic DPA with the new SCCs by customer.
5. How does New Relic meet its obligations under GDPR?
New Relic has both a dedicated security and privacy team within our organisation who are passionate about delivering and maintaining a world class security/privacy program to ensure we are GDPR compliant.
- We will keep your data confidential: All of New Relic’s staff who have access to our customers’ data are committed to confidentiality as part of their terms of employment with New Relic.
- We keep your data safe and secure: At New Relic, the security of your data is of the utmost importance to us. Our information security team continues to ensure that we are in line with industry standards and best practices for all data processing.
- We have implemented robust technical and organisational measures to assist our customers in meeting their compliance needs: At New Relic we know that our customers are subject to compliance obligations under GDPR with regard to the fulfilment of data subject requests and data protection impact assessments. As your data processor, we are happy to assist so that you meet these obligations and we have devised our own internal technical and organisational policies and processes to enable us to do this efficiently and effectively.
- We will only use approved sub-processors: All of our sub-processors undergo rigorous security and privacy assessment from our security and privacy team and we will always provide you with advance notification when we want to add a new sub-processor. You can be assured that we conduct thorough due diligence prior to onboarding and that we ensure we have the appropriate contractual provisions in place. At all times New Relic remains liable for the acts of our sub-processors.
- We will assist you in the event of a data breach: If a data breach occurs at New Relic and your data is affected, we will notify you in time for you to meet your data breach notification to the supervisory authority and we will provide you with details of the breach in order for you to assess the impact it may have upon your organisation.
- We will provide you with the information you require so that you can satisfy yourself that you are choosing a GDPR compliant service provider: So that we may meet our obligations to you, we are happy to provide answers to information security and audit questionnaires that will confirm New Relic’s compliance with its obligations as a data processor.
6. How can I execute the New Relic DPA?
The New Relic online DPA is pre-signed by New Relic. Where a customer is signing New Relic’s online DPA, the customer may download the DPA from our website here and then sign and return the DPA to firstname.lastname@example.org. Please note that this process only applies to situations where the DPA is being signed in isolation. Where a customer signs the DPA as part of their agreement with New Relic, it will not need to follow this process or return it to email@example.com .
7. What is contained within the exhibits to the New Relic DPA?
- Exhibit 1 sets out the details of the processing undertaken by New Relic, including the types of data and data subjects.
- Exhibit 2 contains a link to the New Relic security documentation.
8. I would like to ask some questions that are not answered in this guide
For any additional information you require, you may contact your Account Executive who will be happy to assist you.
The information contained in this document does not provide legal advice. We recommend that you consult with your own legal counsel in order to obtain advice specific to your own unique situation and how you intend to use the New Relic services- remember a DPA is only necessary if you intend to send personal data for processing.