Privacy

Modern global enterprises expect information to be available regardless of where they are, where their workforce is, and where their customers are. Everything from human resources to product development and transportation is data driven, and the ability to confidently transfer data between geographies is imperative for building and maintaining a global business. When the data being transferred is personal information, however, safeguards must be in place to ensure that the privacy of the data subject—the person whose data is being transferred—is sufficiently protected.

Over 100 countries have data protection laws. While many of these laws share common principles, they can and do vary in their requirements for cross-border data transfers. For example, under the GDPR, personal information is not permitted to be transferred outside of the EU unless certain conditions are met. Other laws, such as restrictions on the transfer of personal information collected by government agencies or related to an individual’s health or finances, may impose additional conditions or restrictions. Whatever your geolocation requirements are, NetApp has you covered.

The primary reason that people are concerned with data location is because it relates to which government has the right to make legal decisions and judgments regarding access to the data—what lawyers refer to as “jurisdiction.” International legal rules regarding jurisdiction are based on an underlying recognition of a nation’s sovereignty and often involve complex rules of interpretation when dealing with international transactions. Questions of jurisdiction become particularly concerning when dealing with individual rights of data privacy, as different jurisdictions recognize and enforce individuals’ rights in their personal data in different ways.

For example, in Europe, the GDPR restricts moving personal information outside of the European Economic Area except under certain circumstances. These circumstances include an adequacy decision by the European Commission that the receiving country has implemented adequate legal protections of personal data. The GDPR anticipated that countries outside the EU may not be willing or able to change their laws for the purpose of meeting Europe’s privacy requirements. Therefore it has provided other options for cross-border transfers, where individuals can rely on the private law of contracts to ensure that their personal information is adequately protected. For entities operating in those countries without an adequacy decision, the GDPR permits these cross-border transfers when the entity transferring the data is subject to Binding Corporate Rules or when the contracts for the treatment of such data include Standard Contractual Clauses.

NetApp is a global company operating throughout the world and has long recognized the need for responsible cross-border data transfers. With headquarters in California, we are not eligible to rely on an adequacy decision by the European Commission. Instead, we place our commitments to protect personal information in our Binding Corporate Rules (BCRs). In fact, NetApp was one of the first companies to have our BCRs approved by our supervisory authority in the Netherlands. We have updated our BCRs to reflect the requirements of GDPR and we are currently awaiting their approval. Additionally, we provide standard contractual clauses as part of our Customer Data Processing Addendum as further assurance for how data is transferred as part of the processing activities. Each of these clauses is backed by administrative, technical, and operational safeguards that are regularly assessed for compliance.

NetApp processes personal information in its role as either a controller or a processor, as those terms are defined in the GDPR. Information on the contexts in which NetApp is a controller or processor can be found in our Privacy Policy. Where NetApp is a controller of personal information, we may transfer that data to any of our corporate locations worldwide. Where NetApp is a processor of personal information, we only process that information in the following countries: Canada, Hong Kong, Iceland, India, Israel, Netherlands, and the United States. Our BCRs and Data Processing Agreement cover our operations across these jurisdictions, even when our operations are in countries within the scope of the GDPR or have been found to have adequate protections under the GDPR.

Some types of personal information, such as information collected by a government on its citizens, may have additional restrictions regarding movement across borders. As a global leader in storage across platforms, NetApp offers many solutions that can meet even the most stringent requirements for data localization. Customers can choose between the industry’s broadest portfolio of all-flash, hybrid-flash, and object storage systems for a variety of on-premises storage solutions.

Customers who need specific storage locations are not limited to on-premises solutions, though. The NetApp hybrid multi-cloud offerings also allows customers to choose among the top public cloud providers to choose a data storage location best suited for their business needs. NetApp has solutions available on Microsoft Azure, Amazon Web Services, and Google Cloud Platform, each of which offers options for data location choices.