Data Transfer Guide

Allegis Group and its family of companies (“Allegis Group”) is a US-headquartered global company that provides talent solutions.  For a list of the Allegis Group entities, click here.  Allegis Group forms partnerships with organizations across the globe to optimize talent attraction and retention.  We work with clients to help them achieve their talent strategies and business goals, and we help potential candidates fulfil their career aspirations.  Learn more about the specific services for each of our brands here (collectively, “Services”). 

We take the privacy, security and confidentiality of our customers’ data very seriously, including supporting our customers’ compliance as they engage Allegis Group service offerings.  Any customer personal data we process will be treated in accordance with our Privacy Policy, which you can access here and, when we act as a processor or service provider, our contract with you, including any separate data processing agreement we have entered.  For additional information regarding Allegis Group’s commitment to data protection, please see our Data Protection Readiness Statement.   

As part of our Services, Allegis Group processes personal data for purposes that include providing and maintaining our Services, analytics, business development, billing, support, security and fraud prevention and compliance with applicable laws.   As a global company, Allegis Group transfers and remotely accesses personal data outside of the European Economic Area (“EEA”), Switzerland and the United Kingdom (collectively “Europe”).   

Allegis Group relies on the EU Commission Standard Contractual Clauses 2021/914 of 4 June 2021 (“New SCCs”) to transfer customer personal data from the EEA and Switzerland to third countries that are not considered “adequate” under applicable data protection law.  For transfers of personal data from the United Kingdom, Allegis Group currently relies on the EU Commission Standard Contractual Clauses 2010/87/EU of 5 February 2010 or the EU Commission Standard Contractual Clauses 2004/915/EC of 27 December 2004 (collectively, “Old SCCs”).   

Allegis Group has prepared this resource to assist customers who receive our Services to perform their own assessment of the transfer of personal data to Allegis Group outside Europe ("Transfer Impact Assessment" or “TIA”), in light of the Schrems II ruling ("Schrems II") of the Court of Justice for the European Union ("CJEU") and the European Data Protection Board (“EDPB”) recommendations regarding supplemental measures.   

Please note that each of our service offerings is unique and whether there is a "transfer" of personal data (and therefore whether you need to perform a TIA) may depend on the Services we are providing to you.  For example, when we provide staffing services there is no transfer of personal data.  Please ask your Allegis Group relationship contact for a copy of our data protection agreement that fits the Services we are providing to you.  For more details about our Services, and an understanding of the resulting data protection obligations and personal data transfers, please continue to read this guide.

What was the Schrems II ruling about? 

The Schrems II ruling arose out of a complaint made by an Austrian data subject, Maximillian Schrems, to the Irish Data Protection Commissioner, concerning transfers of his personal data to the United States and the potential for his data to be accessed by US government agencies. As part of the Schrems II ruling, the CJEU confirmed that the European Commission’s Standard Contractual Clauses (“SCCs”) provide a lawful mechanism for transferring personal data from the EEA to third countries outside the EEA. The Swiss Federal Data Protection and Information Commissioner ("FDPIC") followed this logic and stated that their use is also acceptable for transfers of personal data outside Switzerland.   The SCCs are a standard set of data protection clauses approved by the European Commission that are entered between data exporters and data importers, conferring protections for the data transferred and enforceable rights for data subjects.   

However, the CJEU further ruled (and the FDPIC agreed) that, before transferring personal data to a third country in reliance on the SCCs, the data exporter must (with support from the data importer) assess whether the personal data will be protected to a standard that is "essentially equivalent" to EU law, taking into account the provisions of the SCCs and the relevant aspects of the third country's legal system.  Where the SCCs alone are not able to ensure "essential equivalence", then the data exporter must implement "supplementary measures" to protect the data to that standard.  

After the Schrems II ruling, the European Commission issued a new version of the SCCs ("New SCCs").  The New SCCs replace the original version of the SCCs ("Old SCCs") that were at issue in the Schrems II ruling.  The New SCCs adopt and incorporate the requirements of the CJEU’s Schrems II ruling. 

What are the EDPB Recommendations?

The EDPB is composed of representatives of the national data protection authorities from all EU Member States and is responsible for issuing guidelines on the interpretation of core concepts of the GDPR.  The EDPB issued the EDPB Recommendations following the Schrems II ruling. 

The EDPB Recommendations provide guidance for data exporters assessing whether there is an essentially equivalent level of protection for data transfers outside the EEA and recommend the following six-step process: 

• Step 1:  Know your transfers – perform a mapping of transfers of personal data outside the EEA 
• Step 2:  Identify the transfer tool being relied on (for example, the SCCs)
• Step 3:  Assess whether the transfer tool identified in Step 2 is effective in light of all circumstances of the transfer – this includes assessing the laws or practices of the countries where data is transferred to understand if those laws and practices may impinge on the effectiveness of the safeguards of the transfer tool.
• Step 4:  If the assessment determines that the transfer tool alone cannot provide an essentially equivalent level of protection, identify supplemental measures that could bring the level of protection up to the standard of essential equivalence.
• Step 5:  Implement any supplementary measures.
• Step 6:  Re-evaluate the assessment at appropriate intervals, including developments in the countries where transfers are occurring that might affect the initial assessment of the level of protection.

Allegis Group customers can continue to use Allegis Group services to transfer customer personal data outside Europe in compliance with data protection laws (including the GDPR).   Allegis Group partners with its customers to implement appropriate data protection language for all of its Services, including (where the Services involve a transfer of customer personal data) incorporating the New SCCs to address transfers from the EEA and Switzerland (whether directly or via onward transfer) and incorporating the Old SCCs to address any transfers from the UK.   Allegis Group also implements rigorous technical and organizational measures to protect the confidentiality, integrity and availability of customer personal data.  

When does Allegis Group transfer customer personal data outside of Europe?

Allegis Group may transfer customer personal data outside of Europe for  our Services (other than staffing services), but it will depend on the specific customer engagement . Each of our service offerings is unique and whether there is a transfer of customer personal data will depend on your location and the Services we are providing to you. In all instances where we are providing staffing services to our customers, there is no transfer of customer personal data (more on this below).  For additional information regarding any particular service offerings, please work with your relationship contact at Allegis Group.

Why is there no transfer of personal data outside of Europe for staffing services? 

When Allegis Group is providing staffing services to our customers, there is no transfer of customer personal data outside Europe. This is because Allegis Group is providing talent ("Workers") to customers on a temporary basis.  The Workers provide services under the direction and control of the customer at a physical location controlled by the customer or, where the work is performed remotely, a remote location that has been approved by the customer.  The customer therefore determines what customer personal data the Workers will have access to, including determining whether to provide Workers with any customer-controlled VPN connections, network access, file access, hardware or software.  At no time does Allegis Group (as the temporary staffing agency) have access to the customer personal data that Workers may process on behalf of the customer. Since there is no transfer of customer personal data, it is not necessary to enter into the SCCs or perform a TIA.  Although there is no transfer, Allegis Group still addresses any data protection risks associated with the provisions of staffing services and has implemented appropriate data protection language in our customer agreements.    

When Allegis Group provides staffing services, does it act as a processor or a controller for the customer’s personal data? 

When Allegis Group is providing staffing services to our customers, we are not acting as a processor or a controller of customer personal data.  As explained above, Workers that are placed with customers may have access to customer personal data but Allegis Group (as the staffing agency) does not. Furthermore, Allegis Group does not direct or control how Workers process customer personal data.  

The EDPB confirms this position in its Guidelines 07/2020 on the concepts of controller and processor in the GDPR issued by the European Data Protection Board Version 2 (adopted 07 July 2021).  In particular, the EDPB explains (in paragraphs 78 and 88) that when a temporary staffing agency provides Workers to a customer, neither the agency nor the Workers are acting as processors or controllers under the GDPR.  Instead, the Workers are performing certain tasks as directed by, under the direct authority of and upon the instructions from the customer (without involvement from the agency).  Accordingly, the EDPB confirms that the Workers process personal data as part of the customer’s entity acting as a controller under the GDPR.

“78.  If the controller decides to process data itself, using its own resources within its organisation, for example through its own staff, this is not a processor situation.  Employees and other persons that are acting under the direct authority of the controller, such as temporarily employed staff [emphasis added], are not to be seen as processors since they will process personal data as part of the controller’s entity.  In accordance with Article 29 they are also bound by the controller’s instructions.”

“88.  Whereas the terms “personal data”, “data subject”, “controller” and “processor” are defined in the Regulation, the concept of “persons who, under the direct authority of the controller or processor, are authorised to process personal data” is not.  It is, however, generally understood as referring to persons that belong to the legal entity of the controller or processor (an employee or a role highly comparable to that of employees, e.g. interim staff proved via a temporary employment agency [emphasis added]) but only insofar as they are authorized to process personal data.  An employee etc. who obtains access to data that he or she is not authorised to access and for other purposes than that of the employer does not fall within this category.  Instead, this employee should be considered as a third party vis-à-vis the processing undertaken by the employer.  Insofar as the employee processes personal data for his or her own purposes, distinct from those of his or her employer, he or she will then be considered a controller and take on all the resulting consequences and liabilities in terms of personal data processing.” 

For additional information regarding when Allegis Group acts as a controller or a processor for the Services we offer, please see our Data Protection Readiness Statement.    

Where does Allegis Group process customer personal data when it is transferred  outside of Europe?

For those Services where customer personal data is transferred outside Europe, customer personal data may be processed in countries wherever our group companies or third-party service providers are located.  The locations will vary depending on the exact services we are providing to you.  As a US headquartered company, one of the primary locations is the United States.  For additional information regarding the specific locations involved in the services we are providing to you, please contact your Allegis Group relationship contact for more information.  As the United States is a significant location for our transfers, we have provided additional information below regarding transfers to the United States.

As a US headquartered company, we transfer personal data from Europe to the US by either storing it in the US or by accessing it from the US to provide support functions in performing some of our Services.  As discussed in the Schrems II ruling, there are certain surveillance laws in the US that allow government agencies to access personal data in a manner that could potentially present an obstacle for data exporters seeking to ensure an essentially equivalent standard of protection for personal data. The CJEU focused on two laws in particular, Section 702 of the Foreign Intelligence Surveillance Act of 1978 ("702 FISA") and Executive Order 12333 ("EO 12333"). However, as noted below, none of the Allegis Group Services are subject to FISA 702 and to date we have never received a government request for customer personal data under FISA 702 or knowingly assisted the US government in obtaining bulk data pursuant to EO 12333. Additionally, in the event that the Allegis Group ever received such a request we would publish as much information as legally permitted in an annual Transparency Report.  

What transfer tool does Allegis Group rely on to transfer personal data to the US?

Since Privacy Shield is no longer available as a lawful transfer mechanism, Allegis Group currently relies on the New SCCs for transfers of personal data from the EEA and Switzerland to the US and the Old SCCs for transfers from the UK to the US. As noted earlier, the Schrems II ruling confirmed that the SCCs remain a valid transfer mechanism under the GDPR.  

What is FISA 702?

In the Schrems II ruling, the CJEU identified two US laws as being potential obstacles to the essentially equivalent standard of protection for personal data. The first, FISA 702, refers to Section 702 of the Foreign Intelligence Surveillance Act of 1978 (50 U.S.C. § 1881a et seq.), a US surveillance law that authorizes US government agencies to obtain foreign intelligence information to and from non-US persons located outside of the US.  Foreign intelligence information is limited to information necessary to protect the US, including intelligence necessary to protect the US against actual or potential attacks, sabotage, international terrorism, or clandestine intelligence activities by a foreign power, the proliferation of weapons of mass destruction, or information that is necessary to protect the US national defense or the conduct of US foreign affairs.  FISA 702 requests are limited to foreign intelligence information coming to or from a targeted individual.  The requests cannot include information about a targeted individual. 

FISA 702 applies to companies that qualify as an "electronic communication service provider", which is defined as:

(A) a telecommunications carrier, as that term is defined in section 3 of the Communications Act of 1934 (47 U.S.C. § 153); 

(B) a provider of electronic communication service, as that term is defined in section 2510 of title 18, United States Code; 

(C) a provider of a remote computing service, as that term is defined in section 2711 of title 18, United States Code; 

(D) any other communication service provider who has access to wire or electronic communications either as such communications are transmitted or as such communications are stored; or 

(E) an officer, employee, or agent of an entity described in subparagraph (A), (B), (C), or (D).

What did Schrems II say about FISA 702?

In the Schrems II ruling, the CJEU held that FISA 702 does not respect the minimum safeguards resulting from the principle of proportionality under EU law and is therefore a potential obstacle to ensuring an essentially equivalent level of protection for personal data transferred to the US. In the EDPB Recommendations, the EDPB further stated that data exporters must consider whether FISA 702 applies in practice to their particular transfer in order to determine whether supplementary measures are needed.

Are any of Allegis Group’s Services subject to FISA 702?

No, none of the Allegis Group Services are subject to FISA 702.  Allegis Group did a thorough analysis of each of our service offerings with the assistance of outside privacy counsel and determined that the Allegis Group does not provide an electronic communication service or remote computing service with respect to any of our service offerings. Allegis Group continues to monitor this as we enhance and expand our service offerings and will update this page if necessary.

What is EO 12333 and is Allegis Group subject to it?

In Schrems II, the CJEU also identified Executive Order 12333 (EO 12333) as a US law that interferes with EU data subject rights.   EO 12333 provides authorization for US intelligence agencies to conduct surveillance outside of the US and imposes certain limits, including limits on the amount of time intelligence can be retained and used.  

EO 12333 does not on its own authorize the US government to require companies to disclose data.  Instead, EO 12333 provides general authorization for surveillance but government authorities must rely on a statute (such as FISA 702) to actually collect data.  

It is Allegis Group policy not to provide any voluntary assistance to government agencies that collect information pursuant to EO 12333 and, importantly, EO 12333 does not impose any legal obligations on Allegis Group.  To date, Allegis Group has not received any requests for bulk data and does not knowingly assist the US government in obtaining bulk data pursuant to EO 12333.

What is the US Government's position regarding data transfers from Europe to the United States?

After Schrems II, the US Government issued a white paper clarifying that “as a practical matter, for many companies the issues of national security data access that appear to have concerned the [CJEU] in Schrems II are unlikely to arise because the data they handle is of no interest to the US intelligence community.” According to the US Government, “companies that fall in this category have no reason to believe their data transfers present the type of data protection risks that concerned the [CJEU] in Schrems II.”

The white paper further explains that:

• Companies that handle “ordinary commercial information like employee, customer, or sales records, would have no basis to believe US intelligence agencies would seek to collect that data.”
• “The theoretical possibility that a US intelligence agency could unilaterally access data being transferred from the EU without the company’s knowledge is no different than the theoretical possibility that other governments’ intelligence agencies, including those of EU Member States, or a private entity acting illicitly, might access the data.” The white paper adds that such access to data could occur anywhere in the world and not just the US.

While Allegis Group has determined that it is not subject to FISA 702, even if that were to change the white paper also explains that:

• EU citizens, and all individuals, have individual redress for violations of FISA 702 through measures not addressed by the court in the Schrems II ruling, including FISA provisions allowing private actions for compensatory and punitive damages.
• The US government frequently shares intelligence information with EU Member States, including data disclosed by companies in response to FISA 702 orders, to counter threats such as terrorism, weapons proliferation, and hostile foreign cyber activity. The sharing of FISA 702 information undoubtedly serves important EU public interests by protecting the governments and people of the Member States.

There is a wealth of public information about privacy protections in US law concerning government access to data for national security purposes, including information not recorded in the decision on which the CJEU based its conclusions in Schrems II, new developments that have occurred since 2016, and information the CJEU neither considered nor addressed. The white paper states that “companies may wish to take this information into account in any assessment of US law post-Schrems II” and includes references to publicly available resources which our customers may find helpful to review.

How would Allegis Group handle a government access request for customer personal data if it were to receive one?

Although we have never received a government access request concerning customer personal data, Allegis Group has implemented a Government Intelligence Data Request Policy and Procedure ("Policy") that sets out a policy and procedure for responding to government access requests relating to national security and/or intelligence gathering, including requests involving customer personal data (“Data Disclosure Requests”). This summary outlines the key elements of the Policy.

Under the Policy, all Data Disclosure Requests would be handled by the Allegis Group Global Privacy Office in consultation with the Allegis Group Legal Team. As a general principle, Allegis Group would not disclose customer personal data in response to a Data Disclosure Request unless either:   

1. It is under a compelling legal obligation to make such disclosure; or
2. Taking into account the nature, context, purposes, scope and urgency of the Data Disclosure Request and the privacy rights and freedoms of the affected individuals, there is an imminent risk of serious harm that merits compliance with the Data Disclosure Request.

Unless we are legally prohibited from doing so or there is an imminent risk of serious harm, Allegis Group would always notify and consult with the relevant customer if it received a Data Disclosure Request concerning customer personal data. In addition, Allegis Group would ordinarily ask the requesting authority to make the Data Disclosure Request directly to the relevant customer and Allegis Group would support the customer in accordance with the terms of its contract (including any separate data processing agreement) to respond to the Data Disclosure Request. If this were not possible (for example because the Requesting Authority declined to make the Data Disclosure Request directly to the customer), Allegis Group would notify and provide the customer with the details of the Data Disclosure Request prior to disclosing any customer personal data (unless legally prohibited from doing so or where an imminent risk of serious harm prevented us from giving prior notification).

In no event will Allegis Group transfer personal data to a Requesting Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society.

Does Allegis Group publish a Transparency Report?

To date, Allegis Group has never received a Data Disclosure Request.  You can continue to visit this guide, which will be kept updated on this issue. In the event that we were ever to receive a Data Disclosure Request, we will prepare an annual report (a “Transparency Report”) to provide information (to the extent permitted by applicable laws) about the number and type of Data Disclosure Requests received and the requesting authorities that made those requests. We will also update this guide to provide you with a link to the Transparency Report.

What security measures are in place to protect customers’ data?

The Allegis Group Information Security program ("Security Program") is a comprehensive, NIST-based approach to securing assets and data throughout the enterprise. The primary focus is to provide appropriate levels of confidentiality, integrity and availability such that information is appropriate protected, secure from unauthorized modification or access, and granted based on a “least privileged” method to ensure that only people who have a need to access the information can acquire it. In addition, our Security Program focuses on prevention, logging, and governance where unauthorized activities are monitored, blocked, and reported on to respond to events and improve the overall security posture.

We have summarized some of the key elements of our Security Program below. Please note that the exact security measures that we use to protect our customers' personal data will depend on the services we are providing to you, the nature of the customer personal data and the locations where data is processed. Allegis Group may have agreed to additional or equivalent security measures with our customers and the specific security commitments will be set out in our customer agreements, including any data processing agreement we have entered. For additional information regarding the specific security measures involved in the services we are providing to you, please contact your Allegis Group relationship contact for more information. 

Encryption: Allegis Group encrypts personal data processed within our network. This can include the following:

• Personal data stored on our network is encrypted using recommended AES-256 algorithm.  If a particular application does not support 256-bit keys, then 128-bit keys can be as a documented exception. If a particular application cannot be encrypted due to performance reasons, it may be run in an isolated environment that protects the information without a control.
• Allegis Group employee laptops are encrypted using full disk AES-256 encryption
• HTTPS encryption on every web login interface, using industry standard algorithms and certificates
• Secure transmission of credentials using by default TLS 1.2
• Access to operational environments requires use of secure protocols such as HTTPS

Identity: Our identity services follow the NIST framework, with written standards that cover key elements. This can include the following:

• Multi Factor Authentication for external access
• Strong password generation and verification
• Biometric authentication for additional security
• Enhanced security measures for the protection of administration accounts
• Isolated management environments (Bastion hosts) to limit attack services
• Rights and roles for services and users provisioned through audited workflow tools
• Extra levels of “Step up” authentication for privileged systems
• Detailed logging and analysis of access patterns for suspicious activity
• Proactive reporting and testing of identity services to ensure controls are in place and operational

Network Security: Allegis Group secures our services and information using a variety of network-based security tools. These can include the following:

• Layered defence and defence-in-depth design principles
• Boundary protection with stateful firewalls and application firewalls
• Data flow enforcement between security domains
• Network segmentation with the Allegis Group infrastructure
• Active Intrusion Detection and Prevention systems at key information junctures
• Domain Name Service hardening
• Content filtering and protocol categorization
• Log collection and analysis for abnormal activity.

Protecting data during transmission: Allegis Group implements appropriate controls to protect personal data during transmission. This can include the following:

• Transporting physical media containing personal data in sealed containers
• Maintaining shipping and delivery notes
• Remote access to the network via VPN tunnel and end-to-end encryption 

Protecting data during storage: Allegis Group implements appropriate controls to protect personal data during storage. This can include the following:

• Endpoint security software
• System inputs recorded via log files
• Access Control Lists (ACL)
• Multi-factor Authentication (MFA)
• Restricted access to files and programs based on "Principle of Least Privilege”
• Storing physical media containing Personal Data in secured areas.

Malware prevention: Allegis incorporates the latest state of the art tools in the protection of our endpoints, along with a comprehensive endpoint protection standard based on CIS configuration benchmarks. In addition all endpoints are monitored by an “eyes on glass” external service 24*7 for immediate detection and remediation of malware, suspicious software and unusual activity.

Auditing: Allegis Group employs external and internal services to capture and process logs from all critical systems. These logs are then reviewed for security incidents, correlated for the detection of possible advanced threats, and stored in an immutable system to preserve log integrity and aid in forensic analysis. 

International standards: Allegis Group maintains international certifications including ISO 27001 for various locations and aspects of its business.  ISO 27001 is an international standard for managing information security that demonstrates an organization has invested in the people, processes and technology (e.g. tools and systems) to protect the organizations data and provides and independent, expert assessment as to whether an organization is in compliance with the standard. 

Please see Allegis Group’s Security Measures for more information about our Security Program.

Does Allegis Group offer any other additional safeguards?

In light of the information provided in this guide, including Allegis Group’s practical experience dealing with government requests and the technical, contractual and organizational measures Allegis Group has implemented to protect customer personal data, Allegis Group considers that the risks involved in transferring and processing customer personal data in the US does not impinge on our ability to comply with our obligations under the SCCs or to ensure that the rights of EU data subjects remain protected.   Therefore, we do not consider that additional supplementary measures are necessary at this time.  

Who can I contact with additional questions?

If you have any further questions about how Allegis Group protects customer personal data, please contact your relationship contact at Allegis Group.

Legal Notice:  Customers are responsible for making their own independent assessment of the information in this guide.  This guide (a) is for informational purposes only, (b) represents Allegis Group’s current service offerings and practices, which are subject to change without notice, and (c) does not create any commitments or assurances from Allegis Group.   The responsibilities and liabilities of Allegis Group to its customers are controlled by Allegis Group agreements, and this guide is not part of, nor does it modify, any agreement between Allegis Group and its customers. This guide does not constitute legal advice.