Skip to Main Content
FamilySearch

Data Processing and Transfer Terms

The Parties acknowledge and agree the Digital Images processed under the Standard Agreement to Create and Share Digital Images (“Agreement”) contain Personal Data subject to applicable Privacy Laws. As a result, the Parties agree to the applicable Data Processing and Transfer Addendum listed below, with the Record Custodian as Controller and Exporter and FamilySearch International as Processor and Importer. The Parties understand and agree the applicable Data Processing and Transfer Addendum listed below is determined by the physical location of the Record Custodian, unless another location is designated by the Record Custodian in writing at the time of entering into the Agreement.

  • (1) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    Afghanistan, Algeria, Austria, Australia, Bahrain, Barbados, Belgium, Belize, Botswana, British Virgin Islands, Bulgaria, Burkina Faso, Cayman Islands, Congo, REP, Cook Islands, Croatia, Cuba, Cyprus, Czech Republic, Denmark, Ecuador, Egypt, Estonia, Eswatini, Ethiopia, Fiji, Finland, France, French Guiana, French Polynesia, French Southern Territories, Gabon, Germany, Glorioso Islands, Greece, Grenada, Guam, Guyana, Haiti, Hungary, India, Indonesia, Iran, Iraq, Ireland, Italy, Israel, Jamaica, Japan, Jordan, Juan de Nova Island, Kiribati, Kuwait, Latvia, Lebanon, Libya, Liechtenstein, Lithuania, Luxembourg, Malta, Marshall Islands, Melanesia, Mexico, Micronesia, Mongolia, Morocco, Nauru, Nepal, The Netherlands, New Caldonia, Niger, Niue, Norway, Oman, Palau, Panama, Papua New Guinea, Pakistan, Palestine, Pitcairn Islands, Poland, Portugal, Republic of Moldova, Romania, Saint Kitts and Nevis, Samoa, Seychelles, Slovakia, Slovenia, Solomon Islands, Somalia, South Africa, South Korea, Spain, Sri Lanka, Sudan, Sweden, Switzerland*, Tanzania, Thailand, Togo, Tokelau, Tonga, Tunisia, Turkey, Tuvalu, Uganda, United Arab Emirates, United Kingdom**, Vanuatu, Wallis & Futuna, Zambia, Zimbabwe

    * Although the EEA Data Processing and Transfer Addendum applies to Switzerland, Switzerland also requires additional language, which is hereby incorporated into the Addendum and is provided below.

    ** Although the EEA Data Processing and Transfer Addendum applies to the United Kingdom, the United Kingdom also requires additional language, which is hereby incorporated into the Addendum and is provided below.

    The following applies to the EU SCC, Module 2 as agreed to by the parties referenced above:

    • - Clause 7 (Docking clause) is stricken.

    • - Clause 9 (Use of sub-processors) incorporates OPTION 2: GENERAL WRITTEN AUTHORISATION).

    • - Clause 11 (Redress) does not incorporate the OPTION in (a).

    • - Clause 13 (Supervision) incorporates language applicable to exporters established in an EU Member State.

    • - Clause 17 (Governing Law) incorporates OPTION 1 and incorporates the law of the country of the data exporter applies.

    • - Clause 18 (Choice of forum and jurisdiction) incorporates the courts of country of the data exporter applies.

    • - ANNEX I: See below.

    • - ANNEX II: See below.

    • - ANNEX III: See below.

ANNEX I

  1. List of Parties

    • Data Exporter

      1. Name: Record Custodian identified in the Agreement

      2. Address: Address of Record Custodian identified in the Agreement

      3. Contact: See the “Contact Information for Notices” specified for Record Custodian in the Agreement

      4. Activities relevant to the data transferred under the Clauses: Relevant activities are described in Section B (“Description of Transfer”) below

      5. Role: Controller

    • Data Importer

      • Name: FamilySearch International

      • Address: 36 S State St., Ste 1900, Salt Lake City, UT 84111

      • Contact: Manger, Data Privacy Office - 50 East North Temple Street, Salt Lake City, Utah 84150

        1. Telephone: (801) 240-1187

        2. Email: Dataprivacyofficer@churchofjesuschrist.org

      • Activities relevant to the data transferred under the Clauses: Relevant activities are described in Section B (“Description of Transfer”) below

      • Role: Processor

  2. Description of Transfer

    Categories of data subjects whose personal data is transferred

    • Data subjects found in historical and genealogical records whose personal data are being preserved for research, historical and statistical purposes.

    Categories of personal data transferred

    • Genealogical data - Information collected to preserve people’s personal and family history:

      • Names (data subject’s name, father’s and mother’s names, children’s names, sibling’s names, spouse’s names, etc.)

      • Family relationships (names of individuals, siblings, parents, children, grandparents, aunts, uncles).

      • Biographical information (name, birth date, death date, stories and details about the individual’s life, occupation, education, location of life events, personal religious events – baptism, confirmations, etc.)

      • Birthdate, birthplace, and related details (sex of child, names of parents, address of parents at time of birth, or adopted parents depending on the type of birth record in question, date of birth, and location of birth).

      • Age

      • Gender

      • Marriage date, place, and related details (name of individual, parents, etc.)

      • Death date, deathplace, and related details (name of individual, manner of death)

      • Nationality

      • Personal characteristics, including photographic image

      • Other information contained in acquired genealogical and historical records, including from censuses (individual names, children, occupation, residence), family histories (biographical data, names, family relationships), parish registers (names of congregation members, residence, dates of birth, family relations), church records (birth, marriage death records, baptisms, confirmations), civil registrations (birth, marriage, and death records), newspaper obituaries (birth, land records, state archive collections), and naturalization records (citzenship records, immigration records, natrualization records including names, birth dates, country of origin, country of residence & address, family member names, occupation, some country specific items depending on the country and date of collection).

    • Sensitive data – Information that is incidentally included in historical and genealogical records that may be defined as sensitive under Privacy Laws.:

      • Identity & Demographic Data (racial or ethnic origin, national origin, tribal origin, social status, specific identity (unique identifiers, e.g., passports, SSN, driver’s license, state ID), marital status, age, color, citizenship or immigration status, status as a victim of crime or having suffered damage by a crime)

      • Beliefs & Associations (religious beliefs or affiliations, philosophical beliefs, moral beliefs, ideological convictions, political opinions, political persuasion, political ideologies, or political affiliation, trade union membership, guild membership, union affiliation, membership in professional or social associations, or human rights organizations

      • Health & Genetic/Biometric Data (current or future physical or mental health condition, status, or diagnosis, medical history, medical records, medical treatment, provision of healthcare, psychological or physiological status, genetic data (inherited or acquired characteristics, human biological profile), biometric data (used for unique identification, automated verification, or revealing additional sensitive characteristics), neural data (brain/neuro-related data, cognitive/emotional data).

      • Criminal & Legal Data (criminal record or history, criminal behavior or acts, commission or alleged commission of an offense, proceedings, outcomes, sentences, or penalties relating to criminal matters)

      • Location & Communication Data (geolocation data (precise or specific location, including GPS coordinates), communications data, including content and metadata of calls, texts, emails, or mail, contents of mail, email, or text messages (unless addressed to the recipient))

      • Youth Data (any personal data associated with a minor)

      • Other Special Categories

        • - Personal habits, lifestyle, and intimate/private life circumstances

        • - Moral or ethical characteristics

        • - Family matters or emotional/family life data

        • - Education records

        • - Employment-related data tied to protected characteristics

        • - Consumer health data (broader than medical records, including wellness/fitness, pregnancy, etc.)

        • - Data relating to ideology or beliefs not otherwise captured

        • - Any data that may significantly threaten privacy, dignity, safety, or property if misused

        • - Data with heightened risk of discrimination or harm depending on context (e.g., TV-viewing data classified as sensitive by FTC)

        • - Marital status (names, dates, etc.)

        • - Government identification number or similar details (SSNs, etc.)

        • - Passport number

        • - Religious Affiliation (Information in church records including membership numbers, names, birth dates, baptism dates, marriage dates, death dates, and data related to specific religion).

        • - Data pertaining to minors (names, birth dates, parents, siblings, gaurdenship records, adoption information, judicial records, educational records)

        • - Health-related data (illnesses, hospital stays, methods of death)

        • - Criminal history (names, dates of incarcaration, rulings concerning individual)

        • - Trade union membership (names of members, date of membership, fee information for membership, etc.)

        • - Racial or ethnic origin (region or country of origin)

        • - Religion (name and religion affiliation)

        • - Political affiliation (name and political party, donation information)

    The frequency of the transfer (e.g., whether on a one-off or continuous basis).

    • Ad Hoc

    Nature of the processing

    • The personal data transferred may be subject to various processing activities, when legally permitted, including digitizing, indexing, hosting, storing, transmitting, redacting, and displaying. These activities are supported by cloud-based data centers, including those in the United States, to the extent allowed by the Privacy Laws. For example, the data may be processed to support the following activities:

      • Preservation of Historical Records: Digitizing, preserving, indexing, storing, and/or archiving historical documents, photos, and artifacts for future generations, as instructed by the data exporter.

      • Genealogy: Once permitted by Privacy Laws and by the data exporter (e.g., when the data is no longer restricted), the data may be included in applications used by researchers and website users to support the tracing of lineage or family history records or other genealogy research, programs, and activities.

        • Family History Research: Collecting and preserving information about one’s ancestors and family tree.

        • Genealogy Instruction: Provide training and resources to help millions of people around the world discover their heritage and connect with family members.

    Purpose(s) of the data transfer and further processing

    • The data transfer to the data importer (at the data importer’s global headquarters) and further processing by the data importer supports the preservation and storage of historical family records for the benefit of public archives, government bodies, indigenous peoples, private archives, other private bodies, and individuals. If permitted by Privacy Laws and by the data exporter (e.g., when the data is no longer restricted), these records may also be made publicly available on the data importer’s website for free for research purposes.

    The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

    • Personal data collected for historical preservation purposes will be retained according to the instructions of the data exporter for as long as requested. In many cases, so long as the records retain historical value they may be retained indefinitely for archival purposes and to document genealogy, unless a data subject requests erasure.

    For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing

    • The data importer processes personal data to preserve historical records and for genealogical research purposes, at the instruction of the data exporter. The data importer may engage a processor or sub-processor pursuant to a processing or sub-processing agreement to assist with data processing for these same purposes and to perform functions on behalf of the data exporter and/or data importer (for example, digitizing and indexing historical records). The processing or sub-processing agreement will provide additional details regarding the subject matter, nature, and duration of the processing.

  3. Competent Authority

    Identify the competent authority/ies in accordance with Clause 13

    • The supervisory authority of the country of the Data Exporter identified in Annex I.A.

ANNEX II:

TECHNICAL AND ORGANIZATIONAL MEASURES FOR FAMILY SEARCH INTERNATIONAL (IMPORTER)

This document outlines the technical and organizational information security measures employed Family Search International (Importer) (“FSI”).

Technical and Organizational Security Measures. FSI maintains a comprehensive Information Security Program and implements reasonable technical and organizational security measures, based on industry standards, organizational needs, and risk, to minimize and protect against unauthorized or unlawful processing, accidental or intentional loss, unauthorized access, destruction, or damage. These measures help ensure the confidentiality, integrity, availability, and resiliency of FSI’s and FSI’s systems and data. On systems not directly controlled by FSI, FSI partners with FSI to implement commensurate security controls. FSI’s Security Program includes the following elements:

1. Policies and Processes. FSI and FSI maintain formal written policies and processes to ensure the confidentiality, integrity, and availability of data and to protect it from accidental, unauthorized, or improper disclosure, use, alteration, or destruction. These policies are reviewed and updated annually or more frequently whenever appropriate. Policies and procedures are intended to ensure that physical, technical, and administrative safeguards are in place and operate effectively.

2. Access Controls.

Physical Access - FSI and FSI implement reasonable measures to prevent unauthorized persons from gaining access to data processing equipment (database servers, application servers, network switches, firewalls, controllers, and related hardware) where personal data is processed or used.

Logical Access - FSI and FSI implement reasonable security measures to prevent unauthorized access to their data processing systems. FSI and FSI maintain and review FSI users with access to data processing systems. FSI and FSI grant access to a limited number of people based on the business-approved need.

3. Security Training and Awareness. FSI maintains a formal security awareness and training program for members of the FSI workforce and FSI workforce users. The program includes required learning modules that ensure users’ awareness of key information security concepts and policies, annually, or as frequently as is practical. Annual training topics include the appropriate classification and handling of sensitive information. In addition to formal training, recurring unannounced phishing simulation exercises reinforce training on how to identify, report, and avoid malicious email messages.

4. Data Protection. FSI and FSI implement reasonable measures to prevent personal data from being inappropriately used, read, copied, altered, or deleted by unauthorized parties both in transit and at rest. Data protection controls are deployed using a defense in depth approach.

5. Monitoring. FSI and FSI implement reasonable measures to monitor access to sensitive systems and network resources and to ensure that users act in accordance with policy. Logs are retained based on business need and regulatory requirements and are stored in a central repository or in a platform-native repository with the ability to migrate to the central repository as needed. Logs are stored and secured in a manner that helps ensure accuracy and immutability. FSI maintains a set of automated alerts to identify potentially malicious activity. FSI and FSI log data is regularly reviewed to identify potential attacks and to support FSI and FSI Incident Response efforts.

6. Endpoint Detection & Response. FSI implements reasonable controls on user and server endpoints, including endpoints for FSI, that provide protection against the propagation of malware, centralized alerting, host process and file query, and system isolation capabilities.

7. Security Incident Response (IR) Procedures. FSI maintains written IR policies and procedures to detect, respond to, and otherwise address security incidents. FSI operates a 24/7 Security Operations Center (SOC) to triage events of interest, monitor systems for actual and attempted attacks or intrusions, mitigate harmful effects of security incidents, and document security incidents and their outcomes. Agreements are maintained with third party incident response providers to facilitate rapid engagement from third parties in the event of a major incident or where an incident requires specialized forensic analysis. FSI also maintains a full-time FSI-focused security team for special support and triage. The SOC works closely with FSI’s Data Privacy Office (DPO) and Office of General Counsel (OGC) and external security experts to ensure incidents are handled in accordance with applicable laws and regulations.

8. Security and Risk Assessments. FSI and FSI maintain reasonable policies and procedures to help assess the effectiveness of security controls, identify security control failures, and to identify, evaluate, and assess security control gaps using a risk-based approach.

9. System Configuration & Maintenance. FSI and FSI maintain reasonable policies and procedures to help ensure data processing equipment (servers, databases, laptops, firewalls, switches, routers, controllers, etc.) is appropriately configured to help ensure personal data is adequately protected. FSI maintains a vulnerability management program to help identify vulnerabilities within the FSI environment and communication to the appropriate resources to facilitate timely remediation.

10. System and Information Resiliency. FSI and FSI implement reasonable measures to ensure personal data is adequately protected from accidental or malicious use, alteration, or destruction and that data which has been accidentally or maliciously used, altered, or destroyed is identifiable and restorable. FSI and FSI implement data and system backup procedures that include online, nearline, and offline copies based on data criticality and business needs. FSI and FSI utilize highly redundant information systems to ensure high availability and performance applications and systems.

11. Compliance. FSI maintains a Data Privacy Office for FSI which manages compliance with data protection laws and regulations. FSI also maintains an internal IT compliance program for FSI focused on testing and validation of security controls, processes, and procedures through internal assessments.

12. Accountability. FSI and FSI have a designated security official responsible for the development, implementation, and maintenance of the Information Security Programs at FSI and FSI. Additionally, FSI’s Information Security Program Policy outlines the roles and responsibilities of all stakeholders in the Information Security Program and is published in a repository that is accessible by all workforce users.

13. Appropriate Use and Retention of Records. FSI and FSI implement policies and processes that govern the use of and retention of confidential data, including personal data. Processes are in place to ensure data complies with the data sharing requirements of data owners and includes oversight for the acceptable use of artificial intelligence technologies.

14. Updates. FSI and FSI monitor, evaluate, and adjust the Information Security Program annually or as needed, considering relevant changes in technology, industry security standards, the sensitivity of personal data, and internal or external potential threats to personal data.

ANNEX III:
LIST OF SUB-PROCESSORS

The controller has authorised the use of the following sub-processors:*

  • ANCESTRY

  • BART DEVELTER V.O.F.

  • BRIGHAM YOUNG UNIVERSITY

  • CENTURY VITAL RECORDS (CVR)

  • CONTENT ARCHAEOLOGY

  • DATADISC.IT S.R.L.

  • DIE MOBILE SEKRETÄRIN E.U.

  • DIGITAL 4 KIT

  • DOUBLE DIGITAL

  • EMPRESA DE ARQUIVO DE DOCUMENTAÇÃO S.A.

  • FORMAX

  • GENEALAB

  • GENESIS

  • GREYSCALE LTD.

  • INFOSCRIBE SAS

  • INTELLIGENT IMAGE MANAGEMENT (IIMI)

  • IRON MOUNTAIN CESKA REPUBLIKA S.R.O.

  • LIFEWOOD

  • MATERN

  • MYHERITAGE

  • NORMADAT S.A.

  • OSG RECORDS MANAGEMENT

  • PEDRO CRUZ MARTINEZ

  • RASTERGEN – GESTÃO DOCUMENTAL UNIPESSOAL (LDA)

  • SBL

  • STASIS S.A.S.

  • SVI

  • TRUEBPO INC (FORMERLY EQOD INC)

(1.1) For Record Custodians in Switzerland the following applies in addition to the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”):

Swiss Addendum to the EU Standard Contractual Clauses

Where a transfer of personal data from a Data Exporter to a Data Importer is subject to the EU GDPR and the FADP (as defined below), the following additional provisions shall also apply in order for the Standard Contractual Clauses to be suitable for ensuring an adequate level of protection for such transfer in accordance with Article 6 paragraph 2 letter of the FADP:

(a) “FADP” means the Federal Act on Data Protection of 19 June 1992 (SR 235.1).

(b) “FDPIC” means the Swiss Federal Data Protection and Information Commissioner.

(c) “Revised FADP” means the revised version of the FADP of 25 September 2020, which is scheduled to come into force on 1 January 2023.

(d) The term “EU Member State” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility for suing their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.

(e) The Standard Contractual Clauses also protect the data of legal entities until the entry into force of the Revised FADP.

(f) The FDPIC shall act as the “competent supervisory authority” insofar as the relevant data transfer is governed by the FADP.

(1.2) For Record Custodians in the United Kingdom (“UK”) the following applies in addition to the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”):

International Data Transfer Addendum to the EU Commission Standard Contractual Clauses

(“UK IDTA”)

The International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (located here) is hereby incorporated by reference and the following applies:

Part 1: Tables

Table 1 is populated exactly as in EU SCC, Module 2, Annex I.

Table 2 - The following applies to the EU SCC, Module 2 as agreed to by the parties referenced above:

  • - Clause 7 (Docking clause) is stricken.

  • - Clause 9 (Use of sub-processors) incorporates OPTION 2: GENERAL WRITTEN AUTHORISATION).

  • - Clause 11 (Redress) does not incorporate the OPTION in (a).

  • - Clause 13 (Supervision) incorporates language applicable to exporters established in an EU Member State.

  • - Clause 17 (Governing Law) incorporates OPTION 1 and incorporates the law of the country of the data exporter applies.

  • - Clause 18 (Choice of forum and jurisdiction) incorporates the courts of country of the data exporter applies.

Table 3 – is populated with the EU SCC, Module 2 Annex I, II, and III.

Table 4 – The UK IDTA may be ended by either Party (Importer and Exporter).

Part 2 – Mandatory Clauses

All mandatory clauses apply; in the reverse, the Alternative Part 2 Mandatory Clauses do not apply.

  • (2) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

  • Albania, Andorra, Armenia, Azerbaijan, Belarus, Bosnia and Herzegovina, Georgia, Guernsey, Isle of Man, Jersey, Kazakhstan, Kenya, Monaco, Kosovo, Montenegro, Nigeria, North Macedonia, San Marino, Russia, Serbia, Syria, Turkey, Ukraine, Vietnam, Yemen.

  • (3) For Record Custodians in the following locations, the ASEAN Model Contractual Clauses, Module 1: Controller to Processor (“MCCs, Module 1”) (located here) apply:

  • Brunei Darussalam, Cambodia, Indonesia, Laos, Malaysia, Myanmar, Philippines, Singapore, Thailand, Vietnam

  • The following applies to the MCCs, Module 1 as agreed to by the parties referenced above:

    • - Clause 2 (Obligations of Data Exporter) is stricken.

    • - Clause 3 (Obligations of Data Importer) optional sub-clauses 3.4, 3.6, 3.7, and the optional language in 3.7 is stricken. Sub-clause 3.10 is, “…within a reasonable time period specified by Partners.”

    • - Clause 4 (Choice of Law Disputes) incorporates the ASEAN Member State of the exporter in 4.1. Operational sub-clause 4.3 is stricken.

    • - Clause 6 (Termination of Contract) incorporates “30 days” into sub-sub-section 6.1.1.

    • - Additional Terms for Individual Remedies (Individual Remedies) All individual remedies are stricken.

    • - APPENDIX A: See ANNEX I from the EU SCCs, Module 2.

  • (4) For Record Custodians in the following locations, the Ibero-American Data Protection Network Model Transfer Agreement (“IADPN MCCs, Controllers to Processors”) (located here) applies:

    Peru, Uruguay, Argentina, Andorra

    The following applies to the IADPN MCCs, Controller to Processors as agreed to by the parties referenced above:

    - ANNEX I from the EU SCC, Module 2 is incorporated by reference and populates all required information in the IADPN MCCs, Controller to Processors.

    - Clause 9 (Redress) in sub-clause 9(a) the optional language is stricken.

    - ANNEX A is populated with relevant information from ANNEX I from the EU SCC, Module 2.

    - ANNEX B is populated with relevant information from ANNEX I from the EU SCC, Module 2.

    - ANNEX C is populated with relevant information from ANNEX II from the EU SCC, Module 2.

    - ANNEX D is populated with relevant information from ANNEX III from the EU SCC, Module 2.

    - ANNEX E is populated with the privacy notice located here: https://www.familysearch.org/en/legal/privacy.

  • (5) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    China and Hong Kong

  • (6) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    Brazil

  • (7) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    New Zealand

  • (8) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    Rwanda

  • (9) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    Qatar

  • (10) For Record Custodians in the following locations, the EU Standard Contractual Clauses, Module 2: Controller to Processor (“EU SCC, Module 2”) (located here) apply:

    Saudi Arabia