The General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, provides data subjects with an array of privacy rights, which provide individuals with greater transparency into and control over uses of their personal information.
At this point, you may be asking how Scalyr aligns with these privacy rights and where you can learn more about the features and functionality made available in Scalyr’s products that support a GDPR compliance program.
As we approach May 25, 2018 (GDPR Effective Date), Scalyr will be updating and adding features and functionalities to further support our customers with their GDPR compliance programs.
Disclaimer: This information is provided as-is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
The General Data Protection Regulation (“GDPR”) is a new European privacy regulation which will replace the current EU Data Protection Directive (“Directive 95/46/EC”). The GDPR aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law.
The GDPR applies to all organizations operating in the EU and processing “personal identifiable data” of EU residents. Personal data is any information relating to an identified or identifiable natural person.
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed, used, and exchanged securely. Organizations will need to demonstrate the security of the data they are processing and their compliance with GDPR on a continual basis, by implementing and regularly reviewing robust technical and organizational measures, as well as compliance policies.
Scalyr will be compliant with the GDPR when it becomes enforceable on 25 May 2018. Our privacy team is working with customers around the world to answer their questions and to help them prepare for using Scalyr’s Services after the GDPR becomes effective. Additionally, our privacy team is reviewing Scalyr’s current product features and practices to ensure we support our customers with their GDPR compliance requirements. By choosing Scalyr as your Data Processor, you will meet your obligations under Article 28 of the GDPR to work with a Data Processor that implements appropriate technical and organizational measures and ensures the protection of the rights of the data subject.
Scalyr encourages customers to begin preparing for the GDPR by reviewing their privacy and data security processes and policies to ensure compliance by May 2018. Compliance with the GDPR is a shared responsibility between the Data Controller and the Data Processor. If the GDPR applies to you, Scalyr is processing data on your behalf and per your instructions, which makes us the Data Processor, and you, the Data Controller.
As your Data Processor, we will enter into an additional agreement (the Data Processing Addendum) which contractually binds us to meet our Data Processing obligations to protect the rights of the data subjects.
We will also, to the extent possible, assist you in meeting your obligations under the GDPR, such as retrieving, editing or deleting personal data, or obtaining and preserving proof of consent when applicable. Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with EU data protection law. Below are some key points to consider for GDPR compliance:
Yes. In addition to our standard Terms of Service, a Data Processing Agreement is required for all customers in the European Union, or customers who qualify as a Data Controller under the GDPR. Customers affected by the GDPR must review and sign our Data Processing Addendum by 25 May 2018.
You can review the Data Processing Addendum here. Note: To complete this DPA, contact us at firstname.lastname@example.org and we’ll send you a copy to sign electronically. After we receive the completed DPA, it will come into effect and legally bind both parties (Scalyr and your company).
The Data Processing Addendum includes provisions between the Data Processor (Scalyr) and the Data Controller (you, our customer) that are mandatory under the GDPR.
Please note that Scalyr cannot make a determination as to which customers are affected by this regulation. Customers are invited to make their own determination and request our Data Processing Addendum as needed.
Customers can use Scalyr’s third-party ISO certifications and SOC 2 audit reports to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place. For additional information, please see the Scalyr Security page.
Under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data” and must specifically cover all of the processing activities. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act” – which can be through an electronic signature, ticking a tick box, etc., although silence, pre-ticked boxes, or inactivity on the part of the user will not constitute consent.
We will provide further guidance on how to obtain consent through a web form, but ultimately, under the GDPR, Scalyr is considered a Data Processor, and obtaining consent is the responsibility of the Data Controller (our customer).
Note that Informed Consent is one valid basis for lawful collection and processing of personal data, but there are others which are equally valid, including performance of a contract or the Data Controller’s ‘legitimate interests’ (See Article 6 of the EU GDPR).