International Data Transfer Assessment

Updated July 2026

 

Cision provides services under the names of Cision, Brandwatch, PR Newswire and Trajaan.

This assessment has been prepared to assist Cision (customers, influencers, media contacts and other relevant individuals with enquiries about how Cision assesses and protects international and out-of-province transfers of personal information.

It addresses transfers from the EEA, UK, Switzerland and Québec, including transfers or remote access to Cision group entities, customers, vendors, subprocessors and cloud providers in the USA, UK, EU and other jurisdictions. Cision’s approach is based on applicable legal mechanisms, transfer assessments, contractual safeguards and technical and organisational measures.

Relevant transfer mechanisms may include adequacy decisions, the EU-US Data Privacy Framework where applicable, the UK Extension to the EU-US Data Privacy Framework where applicable, the Swiss-US Data Privacy Framework where applicable, the European Commission’s 2021 Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, transfer impact assessments, transfer risk assessments, Québec Law 25 privacy impact assessments, and supplementary measures where required.

International transfer law continues to evolve. Cision keeps its approach under review in light of regulatory guidance and legal developments from the European Commission, EDPB, ICO, Commission d’accès à l’information du Québec, Swiss authorities and other applicable supervisory authorities and courts.

1. What was the Schrems II decision about?

Schrems II was the July 2020 Court of Justice of the European Union decision that invalidated the EU-US Privacy Shield and confirmed that exporters relying on Standard Contractual Clauses must assess whether the clauses are effective in practice for the relevant transfer.

The decision remains relevant because it requires a practical assessment of the destination country’s law and practice, the nature of the data, the recipient, the transfer mechanism and any supplementary safeguards.

Since Schrems II, the legal landscape has changed. The EU-US Data Privacy Framework, UK Extension to that Framework and Swiss-US Data Privacy Framework may now be relevant for transfers to certified US organisations. Where those frameworks do not apply, Cision may rely on SCCs, UK transfer instruments, transfer assessments and supplementary measures.

2. Do you transfer personal data outside Europe or Québec and specifically to the US?

Yes. Cision is a global business and certain personal data may be transferred, stored or accessed outside the jurisdiction in which it was originally collected, including outside the EEA, UK, Switzerland and Québec, and including in the United States.

The applicable transfer mechanism depends on the product, Cision entity, data category, customer relationship, recipient, destination country and whether the recipient is certified under an applicable data privacy framework or otherwise covered by another transfer mechanism.

3. What personal data do you transfer?

The personal data transferred is described in the relevant Cision and Brandwatch privacy notices and contractual documentation. Broadly, it may include: Cision media contact and influencer data; customer-provided media or influencer lists; customer account and user data; Brandwatch online author and social media data; customer-authenticated social handles or private contacts; and Cision internal business personal data such as HR data, where relevant.

  • Cision media contact / influencer data: professional and public-facing contact and profile information about journalists, media contacts, influencers and similar professional contacts.
  • Customer-provided media or influencer data: names, contact details, social handles, notes, lists or other information a customer provides or imports into Cision services.
  • Brandwatch online author data: publicly available online posts, handles, usernames, profile data, images, interests, location or other information that may identify online authors.
  • Customer and user data: business contact details, login details, usage data, account administration information and support information.
  • Internal business data: employee, contractor and operational data. This page focuses primarily on customer-facing and influencer/media/social author datasets.

4. Who do you transfer personal data to?

Depending on the product and data flow, personal data may be transferred or made accessible to Cision group entities, Brandwatch group entities, customers, vendors, subprocessors, cloud/infrastructure providers, email and communications providers, customer support tooling, security providers and professional advisers.

Cision may also make certain public-facing media contact and author datasets available to customers using Cision or Brandwatch services, subject to contractual and product controls. Customer-provided data is processed in accordance with the applicable agreement and data processing terms.

5. What is your approved mechanism for international data transfers?

For EEA transfers, Cision may rely on European Commission adequacy decisions, including the EU-US Data Privacy Framework where the US recipient is certified and the transfer falls within the scope of that certification. Brandwatch relies on this mechanism for its transfers to the USA.

Where no adequacy mechanism applies, Cision may rely on the European Commission’s 2021 Standard Contractual Clauses and related transfer assessments and supplementary measures where required.

For UK transfers, Cision may rely on UK adequacy regulations, including the UK Extension to the EU-US Data Privacy Framework where applicable. Brandwatch relies on this mechanism for its transfers to the USA.

Where required, Cision may use the UK International Data Transfer Agreement or UK Addendum to the EU SCCs, together with a UK transfer risk assessment / data protection test.

For Swiss transfers, Cision may rely on Swiss adequacy mechanisms, including the Swiss-US Data Privacy Framework where applicable, or other Swiss transfer safeguards. Brandwatch relies on this mechanism for its transfers to the USA.

For Québec transfers outside Québec, Cision applies a Québec Law 25 transfer assessment approach.

6. Is your business subject to US surveillance laws under Section 702 FISA and EO 12333?

Cision is not a telecommunications carrier. In respect of some services, such as email or communications-related services, Cision may in principle be considered a provider of electronic communications services and therefore potentially within the scope of certain US surveillance-law concepts.

Cision assesses this risk in context, including the categories of personal data transferred, whether the data is public or professional in nature, the recipient, the destination, the technical and organisational measures in place, and the likelihood of access requests in practice.

7. Is Cision aware of any surveillance being undertaken by law enforcement agencies in the US or elsewhere in relation to its systems and databases?

Cision is not aware of surveillance activities specifically targeted at Cision systems or databases. Cision will keep this position under review and will consider any lawful request in accordance with its policies, applicable law and contractual commitments.

8. Does Cision receive requests from law enforcement agencies for disclosure of personal data?

Cision may receive subpoenas or other lawful requests for information from law enforcement, regulatory or government authorities. Any such request is reviewed for validity, authority, scope and legal basis before any disclosure is made.

9. What is Cision’s approach to requests by government agencies for access to personal data held by Cision?

Cision complies with valid legal obligations but does not voluntarily provide personal data to government or surveillance authorities without a lawful basis. Cision reviews requests to confirm that they are validly made, properly authorised and limited to the personal data that falls within the scope of the lawful request.

Where permitted by law, Cision may notify the relevant customer, exporter or affected party. Where disclosure or notice is legally prohibited, Cision will assess whether the request can be challenged or narrowed.

10. Does Cision disclose the fact that government agencies have requested access to personal data?

Cision may disclose the existence of a government request where permitted by applicable law. Some requests may be subject to confidentiality or non-disclosure obligations, in which case Cision may be unable to disclose the existence or details of the request.

11. How often does Cision receive requests from government agencies for personal information related to customers or influencers?

Across its related entities, Cision only occasionally receives information requests. Cision’s risk assessment considers the nature of the data involved, the likelihood of requests, and whether the requested information is already public-facing or otherwise low sensitivity.

Cision will continue to assess request history and legal developments as part of periodic review of its international transfer posture.

12. What assessment have you made of your international data transfers?

Cision assesses relevant transfer data flows on a risk-based basis, including transfers within the Cision group, transfers to subprocessors and vendors, and transfers or access by customers where Cision is responsible for the transfer mechanism.

The assessment considers the product, data categories, data subject groups, destination country, recipient role, transfer mechanism, availability of adequacy or DPF certification, contractual safeguards, technical and organisational measures, likelihood and nature of government access, and whether supplementary measures are needed.

For Cision media contact, influencer and Brandwatch online author data, Cision considers that the overall transfer risk is generally low to moderate and manageable because much of the data is professional, public-facing or publicly available. However, the data remains personal information and may contain user-generated content, social handles, profiles, inferred interests or location, so Cision applies safeguards and individual-rights processes.

13. What technical measures are you taking to ensure that personal data transferred internationally is adequately protected?

Cision maintains technical and organisational measures designed to protect personal data, including access controls, security governance, encryption in transit and at rest where applicable, vendor security review, incident response and other controls appropriate to the sensitivity, volume and distribution of the data.

Details of such measures are summarised in Cision’s Security Statement and  The Brandwatch Security Programme.  

Where Cision engages processors or subprocessors, Cision requires appropriate security measures and contractual commitments. Technical measures may vary by product, system, data category and hosting environment.

14. What other supplementary measures are you taking to ensure that transferred personal data is adequately protected?

Cision considered supplementary measures in light of the specific circumstances of the transfers and we do not believe that the transfers outside the EEA of Brandwatch and Online Content Author Data create any material or additional risk over and above the risks that already exist, as a result of that data being made publicly available by the data subjects.   

The two critical factors in reaching this conclusion are that:

(a) the vast majority of data that is transferred is public domain data (available for example on public social media platforms or websites where it has been posted by the data subjects themselves); and

(b) the nature of the data transferred is low risk.  If a government agency wished to access Online Content Author personal data it could access that data by accessing the public domain sources used by Brandwatch (Eg. Twitter, Facebook, public websites).  In our view, the risk of US surveillance mechanisms being applied to Brandwatch is low and if they were applied it would relate to data that is already publicly available.

Therefore, measures include contractual commitments, data minimisation, role-based access, encryption, vendor due diligence, internal policies, legal request review, notice where permitted, and periodic reassessment where products, vendors, hosting or legal frameworks materially change.

Cision will notify relevant parties where required or permitted if it believes it can no longer comply with applicable transfer commitments. Cision will also review legal developments and update safeguards where necessary.

User Data is generally limited to the personal contact information of our customer account contacts and activity on customer accounts.  We believe that such data is also low risk.

Notwithstanding the above, Brandwatch acknowledges that access by US government agencies to personal data held by Brandwatch is theoretically possible. For this reason, Brandwatch will be implements the measures to protect the personal data that it transfers outside the EEA, UK and Switzerland as described in section 13.

15. Are you able to provide services without international transfer of customer data?

Some Cision and Brandwatch services require international processing or access to provide global media intelligence, monitoring, social listening, analytics, distribution, support and account-management functionality. In some cases, it may not be possible to provide the relevant service without international or out-of-province transfer, storage or access.

The precise position depends on the product, customer configuration, hosting environment and data category. Customers with specific residency requirements should raise them before the contracting process.

16. What control does a customer have over the data that is transferred?

Customers control the customer-provided personal data they choose to upload, import, authenticate or otherwise make available to Cision or Brandwatch services. This may include private media lists, customer-authenticated social accounts, contact lists, prompts, search terms, notes, direct messages or other customer data.

If a customer has concerns about particular personal data being transferred or accessed outside a jurisdiction, the customer should avoid providing that data or should discuss available configurations or safeguards with Cision before doing so.

17. Should Cision customers be concerned about personal data included in private lists or customer-managed datasets?

Customers should assess whether personal data they upload or import into Cision or Brandwatch services is sensitive, confidential, subject to special regulatory controls, or otherwise unsuitable for international processing. Customers should minimise unnecessary personal data and avoid including sensitive data unless required and supported by the applicable service and agreement.

Where data includes private contacts, direct messages, sensitive personal information, special category data or confidential customer data, customers should conduct their own assessment and apply appropriate controls before providing it to Cision.

18.  Use of SCCs

Cision has implemented the European Commission’s 2021 Standard Contractual Clauses in its customer data processing arrangements where SCCs are the appropriate EEA transfer mechanism. Historic 2010 SCC transition wording should no longer be used.

For UK transfers, Cision uses the UK International Data Transfer Agreement or UK Addendum to the EU SCCs where required. Cision will continue to review and update transfer terms to reflect legal developments.

19. How will you address transfers to countries other than the US?

Cision considers transfers to countries other than the US using a risk-based approach that takes account of the destination country, relevant legal framework, recipient, transfer mechanism, data categories, sensitivity, purpose, and available contractual, technical and organisational measures.

Where the destination jurisdiction has an adequacy decision or equivalent recognised mechanism, Cision may rely on that mechanism where applicable. Where no adequacy mechanism applies, Cision will consider appropriate safeguards and supplementary measures as required.

20. What steps are you taking to ensure that third-party suppliers/vendors provide an adequate level of protection?

Cision conducts vendor and subprocessor diligence appropriate to the nature of the service and data processed. Relevant controls include contractual data protection terms, security and privacy review, subprocessor transparency, data transfer terms, incident obligations and periodic reassessment where appropriate.

For cloud and infrastructure providers, Cision assesses the provider’s contractual safeguards, security posture, location/access model and transfer mechanism as part of vendor and transfer compliance processes.

21. How does Cision address transfers to and from the UK after Brexit?

The UK GDPR contains its own international transfer rules. Transfers from the EEA to the UK may rely on the European Commission adequacy decision for the UK where applicable. Transfers from the UK to the EEA may rely on the UK’s adequacy treatment of the EEA where applicable.

For UK transfers to countries outside the UK, Cision considers whether UK adequacy regulations, the UK-US Data Bridge / UK Extension to the EU-US DPF, the UK IDTA, the UK Addendum or another relevant mechanism applies. Where required, Cision will consider a UK transfer risk assessment / data protection test.

22. What steps has Cision taken to tell influencers of these changes?

Cision and Brandwatch maintain public privacy notices for relevant individuals, including journalists, media contacts, influencers, online authors and service users. These notices explain the types of data processed, purposes of processing, international transfer concepts, individual rights and routes to contact privacy teams.

Cision will review and update public privacy notices where needed to reflect material changes in transfer mechanisms, products, hosting or applicable law.

23. What steps can influencers, media contacts or online authors take to protect their personal data?

Influencers, journalists, media contacts and online authors may contact Cision or Brandwatch to exercise applicable rights, including access, correction, deletion, suppression, opt-out or objection, depending on their location and applicable law.

Where an individual is concerned about personal data being transferred outside their jurisdiction, Cision or Brandwatch may review the relevant profile or record and, where appropriate, amend, suppress or remove data in accordance with applicable law and product functionality.

24. Québec Law 25 transfers to USA, UK and EU cloud providers

Québec Law 25, formerly Bill 64, requires private-sector organisations carrying on an enterprise to assess certain communications of personal information outside Québec before the transfer takes place. This includes where personal information is communicated outside Québec, or where a third party outside Québec is entrusted with collecting, using, disclosing or keeping the information on the organisation’s behalf.

For Cision and Brandwatch services, this may apply where Québec personal information in media contact, journalist, influencer, online author, customer user, customer-authenticated social account, private-list or support datasets is stored, accessed or processed by cloud providers, affiliates, vendors or subprocessors in the USA, UK or EU.

Cision’s Québec transfer assessment considers the sensitivity of the information, purposes of use, protective measures including contractual and technical measures, and the legal framework of the destination jurisdiction. In general, transfers to USA, UK and EU cloud providers may proceed where they are necessary for service provision or support, covered by appropriate contractual safeguards, subject to vendor/security diligence, and supported by proportionate access controls and security measures.

Destination

Assessment position

Key safeguards

USA cloud providers

Moderate transfer risk because US law and government access frameworks differ from Québec; manageable where data is largely public/professional and controls are in place.

Contractual safeguards, vendor due diligence, access controls, encryption where applicable, legal request review, customer/subprocessor transparency and individual rights processes.

UK cloud providers

Generally lower transfer risk than the USA due to mature UK data protection law and UK GDPR framework; still a transfer outside Québec requiring assessment.

Contractual safeguards, security controls, access limitation, vendor review, incident obligations and individual rights support.

EU cloud providers

Generally lower transfer risk due to GDPR-based protections; still a transfer outside Québec requiring assessment.

Contractual safeguards, GDPR-aligned processing terms where applicable, access controls, security measures and subprocessors/vendor oversight.

 

Assessment conclusion: transfers to USA, UK and EU cloud providers are approved where they are necessary for Cision or Brandwatch services, proportionate to the purposes of processing, documented through appropriate contract and vendor-review processes, and subject to safeguards appropriate to the sensitivity and volume of personal information involved.