January 2021
The European Union’s General Data Protection Regulation (GDPR) is a broad regulation that safeguards the rights of individuals in Europe with respect to their digital privacy. The extraterritorial nature of the GDPR is felt globally, with heavy fines possible for failing to comply.
The General Data Protection Regulation is a comprehensive data privacy regulation designed to harmonize data privacy laws across Europe. The GDPR is a principles-based pan-European regulation that puts specific obligations on data controllers and processors, provides enumerated rights to data subjects, prescribes remedies and penalties, and creates a common administrative oversight framework.
As a global leader in data management and cloud data services, NetApp understands data privacy. Privacy is one of the primary drivers of safeguards in a data-driven world, and as the data authority in the hybrid cloud, we maintain a comprehensive GDPR strategy. We operate under corporate policies, procedures, and standards designed to protect your privacy and offer technology that empowers you to protect the privacy of your employees, partners, and customers. This includes our Binding Corporate Rules, Privacy Principles, Code of Conduct and comprehensive data governance processes.
Additionally, our GDPR compliance strategy includes an investment in our customers' success under the GDPR. We strive to provide products, features, and functionality, along with an understanding of customer requirements that empower our customers to implement their own GDPR compliance programs. Whether you are a data controller or data processor, NetApp solutions and services can provide the tools necessary to implement programs that are instrumental to GDPR compliance. These tools include backup and recovery solutions, data availability, metadata tagging for tracking personal information, and even identifying personal information that exists in your cloud environment.
Like most companies, NetApp has access to a variety of personal information, collected in a number of different contexts. Depending on the context of collection, NetApp may be a controller, a processor, or a subprocessor of that personal data. Depending on our role as controller or processor of such data, we are required under the GDPR to provide data subjects and processors with information about how we collect and use their personal information. As part of our GDPR compliance strategy, we do this in our Privacy Policy and through internal processes and policies relating to our treatment of the personal information of employees and contracted personnel.
Our Privacy Policy describes our policies and practices for collecting and processing the personal information of our customers, partners, and stakeholders. Under the GDPR, cookies, web beacons, and other online identifiers may be considered personal information, so we also include a Cookie Policy.
NetApp offers a host of products and services, with features and functionalities designed to either comply with the GDPR or to give you options for how you can implement them to comply. For example, the GDPR includes restrictions and places conditions on cross-border data transfers. If a customer determines that its data cannot leave a given jurisdiction, NetApp offers products and services you can implement so that customer data is processed only within the designated region.
However, some of our products and services require the transmission of customer data out of a given jurisdiction, including outside the European Economic Area. Where such cross-border transmissions occur, we have put in place GDPR-compliance measures. For example, NetApp Binding Corporate Rules help protect personal information or data processing agreements, including standard contractual clauses governing the secure cross-border transfer of data. We also make clear in our Privacy Policy and our product and services terms when such cross-border transfers are necessary to provide NetAPP products or services. Customers are encouraged to take this information into account when determining the best solution for their data governance needs.
When we use subcontractors to process data as part of our services, we put comprehensive data processing agreements in place with these subprocessors and impose on them data protection obligations that are at least as protective as those set forth in our own customer agreements. We agree in our contracts to be liable for our subprocessors to the same extent as if we were processing the data, and we maintain a subprocessor list that is available to our customers.
Yes. Our commitments to compliance with the GDPR are available in a number of our customer contracts, such as our Customer Data Processing Addendum, which includes the Standard Contractual Clauses provided by the European Commission. We also make these commitments in our Privacy Policy, backed by the core values set out in our corporate Code of Conduct.
Every entity is different in its products, services, operations, risk profile, and preferences. Therefore, you need to work with your legal and business advisors to determine the best strategy for your company to comply with the GDPR.
Once you have determined your strategy, NetApp offers a variety of products and services with tools that can help you implement that strategy and that can be used in your privacy operations and GDPR compliance program. These include the Cloud Data Sense service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, and NetApp FPolicy for privacy operations and policy enforcement.
However, a comprehensive GDPR compliance program depends on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. No two entities are alike. NetApp strives to provide all of our customers with tools and capabilities to empower them in their efforts, regardless of the scope and nature of their GDPR compliance programs.
Automated, AI-driven data privacy controls support compliance with the GDPR, the California Consumer Privacy Act (CCPA), and other data privacy regulations
