Scalyr and the GDPR
The General Data Protection Regulation (GDPR), which went into effect on May 25, 2018, provides data subjects with a wide range of privacy rights, including greater transparency into and control over the use of their personal data. At this point, you may be asking how Scalyr aligns with these privacy rights and where you can learn more about the features and functionality made available in Scalyr’s products that support a GDPR compliance program. In support of the GDPR, Scalyr has updated and added features to support our customers with their GDPR compliance programs. Disclaimer: This information is provided as is, based on our best understanding of the information publicly available and our consultations with our legal counsel. This is not legal advice, and we cannot answer questions about your particular situation. You should consult with your own legal counsel if you have questions about your obligations under the GDPR.
Frequently Asked Questions
What is the GDPR?
The General Data Protection Regulation is a European Union (EU) regulation which governs data protection and privacy for all individuals within the EU and the European Economic Area (EEA). It also addresses the export of personal data outside of the EEA. The GDPR primarily aims to give individuals control over their personal data and to simplify the regulatory environment for international business by unifying the requirements within the EEA.
To whom does the GDPR apply?
The GDPR applies to all organizations located in the EEA or processing “personal data” of individuals located in the EEA. Personal data is defined as any information relating to an identified or identifiable natural person.
What implications does the GDPR have for organizations processing personal data?
One of the key aspects of the GDPR is that it creates consistency across EU member states on how personal data can be processed and shared. Organizations will need to demonstrate the security of the personal data that they are processing and their compliance with the GDPR on a continual basis by implementing and regularly reviewing robust technical and organizational measures and compliance policies.
How does Scalyr comply with the GDPR?
Scalyr has devoted a significant amount of resources towards GDPR compliance. Our privacy team has worked with our customers around the globe to answer their questions and help them prepare for using Scalyr’s products in accordance with the requirements of GDPR. Additionally, our privacy team has reviewed and updated Scalyr’s products and practices to ensure that we support our customers with their GDPR compliance requirements. By choosing Scalyr as your data processor, you will meet your obligations under Article 28 of the GDPR to work with a data processor that implements appropriate technical and organizational measures and ensures the protection of the rights of data subjects.
How can Scalyr customers comply with the GDPR?
Compliance with the GDPR is a shared responsibility between the data controller and the data processor. If the GDPR applies to you, Scalyr is processing data on your behalf and at your instruction, which makes us the data processor, and you, the data controller. As your data processor, we will enter into an additional agreement (the Data Processing Addendum) which lays out our data processing obligations. We will also, to the extent possible, assist you in meeting your obligations under the GDPR, such as retrieving, editing, or deleting personal data, or obtaining and preserving proof of consent when applicable. We also offer hosting within the EEA (upon request). Data controllers bear the primary responsibility for ensuring that their processing of personal data is compliant with the law. Below are some key points to consider for GDPR compliance:
- Geographical Application: The GDPR applies to organizations that are located in the EEA. The GDPR also applies to organizations located outside of the EEA which process personal data of individuals located in the EEA.
- Rights of End Users: Organizations should be cognizant of end users whose personal data they may be processing. The GDPR establishes enhanced rights for end users, and organizations should be able to accommodate those rights.
- Data Breach Notifications: Organizations that are controllers of personal data should have clear processes in place in order to comply with the GDPR requirement to report data breaches in accordance with the time frames set out within the GDPR. Scalyr will notify affected customers without undue delay if we become aware of a data breach impacting our services.
- Appointment of Data Protection Officer (DPO): Customers may need to appoint a DPO to manage issues relating to the processing of personal data.
- Data Processing Addendum (DPA): If a customer is processing personal data about individuals located in the EEA, or a customer is using data processors physically located in the EEA, then it will need a DPA in place with each of these third parties. Scalyr’s DPA addresses the GDPR’s requirements and can be obtained by submitting a request to firstname.lastname@example.org.
Do you offer a Data Processing Addendum that addresses the GDPR?
Yes. In addition to our standard Terms of Service, a Data Processing Addendum is required for all customers in the EEA, or customers who otherwise qualify as data controllers under the GDPR. Customers subject to the GDPR must review and sign our Data Processing Addendum. To complete a DPA, contact us at email@example.com and we’ll send you a copy to sign electronically. The Data Processing Addendum includes provisions between the data processor (Scalyr) and the data controller (you, our customer) that are mandatory under the GDPR. Please note that Scalyr cannot make a determination as to which customers are subject to the GDPR. Customers are invited to make their own determination and request our Data Processing Addendum as needed.
Which Scalyr services and features can support customers’ compliance with the GDPR?
Customers can use Scalyr’s third-party SOC 2 audit reports to help conduct their risk assessments and determine whether appropriate technical and organizational measures are in place. For additional information, please see our security page. Additionally, under the GDPR, the requirement for consent is a “freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data.” Moreover, the consent must be specific to each processing activity. Any request for consent must be in clear and plain language and easily distinguishable from other matters. The GDPR requires a “clear affirmative act,” which can be through an electronic signature, ticking a box, etc. Silence, pre-ticked boxes, or inactivity on the part of the user will not constitute consent. Under the GDPR, Scalyr is considered a data processor, and obtaining consent is the responsibility of the data controller (our customer). Note that consent is only one valid basis for lawful collection and processing of personal data, but there are others which are equally valid, including performance of a contract or the data controller’s ‘legitimate interests’ (see Article 6 of the GDPR).