Last Updated: July 1, 2020
Asia-Pacific Economic Cooperation (“APEC”)
APEC Cross Border Privacy Rules (“CBPR”) System: Box, Inc.’s privacy practices, described in the Privacy Notice, comply with the APEC CBPR System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Data transferred among participating APEC eco nomies. More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx.
APEC Privacy Recognition for Processors (“PRP”) System: Box, Inc.’s privacy practices, described in this Privacy Notice, comply with the APEC PRP System . The APEC PRP System provides a framework for data processors to demonstrate their ability to effectively implement a data controller’s privacy requirements . More information about the APEC PRP framework can be found at: https://www.apec.org/~/media/Files/Groups/ECSG/2015/APEC PRP Rules and Guidelines.pdf.
Protecting the privacy rights of Customers is fundamental to the services Box provides. Box has historically offered Customers an overlapping set of legal mechanisms and frameworks for data transfers out of the European Economic Area (EEA).
UK Binding Corporate Rules: The EU-UK Trade and Cooperation Agreement marked the end of the United Kingdom’s (UK) transition period to leave the European Union (Brexit). Box, Inc. and the Box group of companies have made every effort to maintain our commitment and adherence to a valid data protection framework and transfer mechanism. Guidance issued by the United Kingdom’s Information Commissioner’s Office (ICO) confirms that Box’s Processor and Controller BCRs in the UK remain viable, ensuring data transfers from the UK may continue to do so in compliance with UK data protection laws. Box’s UK BCRs are made available below:
- Box UK Processor Binding Corporate Rules
- Box UK Controller Binding Corporate Rules
EU Binding Corporate Rules: Box, Inc., and the Box group of companies seek to maintain its EU BCRs by transferring to a lead supervisory data protection authority located in the EEA. While Box awaits approval of its EU BCRs, Box remains committed to adhering to the principles set-forth in the current BCRs authorized and approved by the European data protection authorities, as will be listed at the European Commission website. We have made Standard Contractual Clauses (SCCs) available to all customers, ensuring a lawful data transfer mechanism when transferring data from the European Economic Area (EEA) to outside of the region. Box EU BCRs are made available below:
EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield: On July 16, 2020, the Court of Justice of the European Union (CJEU) ruled that the EU - U.S. Privacy Shield and Swiss - U.S. Privacy Shield Framework is no longer a valid data transfer mechanism for transferring personal data from the European Economic Area (EEA) to the United States. Per guidance from the United States Department of Commerce, Box, Inc. will continue to participate and certify its compliance with the EU - U.S. Privacy Shield Framework and the Swiss - U.S. Privacy Shield Framework. For more information about our Privacy Shield certifications, please view the Box EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Notice.
California Residents: Starting January 1, 2020, under the California Consumer Privacy Act (CCPA), California Residents have the right to request the following information from Box by emailing firstname.lastname@example.org and Box will provide such information to you upon verification of your request:
- The categories of personal information Box collects about you;
- The categories of sources from which your personal information is collected;
- The business purpose for collecting your personal information;
- The categories of third parties with whom Box shares your personal information; and
- The specific pieces of personal information Box has collected about you.
In addition, you can find the following information in the corresponding Box Privacy Notice Sections:
|Privacy Notice Section||Categories of Information|
|Collection of Information||The categories of personal information Box collects about you.|
|The categories of sources from which your personal information is collected.|
|Use of Information||The business purpose for collecting your personal information.|
|Sharing and Disclosure of Information||The categories of third parties with whom Box shares your personal information.|
California Residents who have an established business relationship with Box may also choose to opt out of Box’s disclosure of personal information about them to third parties for direct marketing purposes. You may change your preferences at any time by emailing email@example.com.
If you elect to exercise any of your rights under CCPA, Box will not deny services, provide a different price or rate for our services, or provide a different level of service to you because you exercised such rights.