Will Digital Realty be in compliance with the GDPR by 25th May 2018?
Yes. Privacy, Security and Confidentiality are fundamental to how Digital Realty conducts its business. Our practices are aligned to support and comply with the requirements of the GDPR.
How does Digital Realty assist its Customers with GDPR compliance?
The GDPR requires organisations to abide by a set of practices designed to protect individuals’ privacy rights. To document our practices and provide validation to individuals and our customers, we have published our Notice of Privacy Practices and are making available a Data Processing Agreement (DPA). The Notice and DPA provide the context for our processing of Personal Data. Furthermore, we are providing a structured mechanism to allow individuals to inquire about their Personal Data that we may hold.
It is important to note that under the majority of circumstances, Digital Realty is a Data Controller as defined under the GDPR with respect to the Personal Data we process and control.
What types of Personal Data does Digital Realty collect?
Digital Realty collects and processes minimal types of Personal Data to manage our business, to communicate with customers, prospective customers, employees and prospective employees, and to support the Access Control processes critical to ensure the security of our data centre operations.
The Personal Data we collect is grouped into four categories:
- Contact Data which consist of “business card” data, such as name, title, business email address, business phone number, employer name, and business address;
- Web Analytics Data which include IP addresses, cookies and UI preferences;
- Physical Access Control Data which consist of key-card/badge access activities and CCTV recording; and
- Human Resources data to support our business and staff.
For what purpose does Digital Realty collect and process Personal Data?
We collect Personal Data to:
- Enable secure access to our data centres and Customer Portals. In order to maintain our physical Access Control security procedures, we process Personal Data from the data centre users authorised by our customers and other designated vendor personnel. Similarly, to administer access to our Customer Portals we process the Personal Data of individuals designated by our customers as authorised users.
- Administer and manage our contractual relationships. We require Contact Data to document transactions for work order management, billing and communication purposes.
- Manage our suppliers. We collect Contact Data from suppliers to manage the delivery of and to pay for services that support our operations.
- Contact and engage with potential customers. We collect, and are given, data about potential customers to help them understand how we can support their data centre needs.
- Operate our business. We collect data on job applicants, employees and contractors to administer and manage our business.
How are individuals informed about the Personal Data Digital Realty collects and the purpose of the collection?
Whenever possible, we provide notice to people that access our facilities, websites, and other properties. Those notices detail the types of data collected, the purpose for which the data is collected, conditions on its processing and how retention schedules are applied. Our general Notice of Privacy Practices provides such information for most common situations involving Personal Data.
How does GDPR impact Digital Realty data centre users?
As we leverage robust security practices already in place as attested to by our SOC 2, PCI, and ISO 27001 certifications, the GDPR does not change our commitment to the user's data protection. Going forward we are providing data centre users with enhanced notice of our data privacy practices which clearly detail the rights of our data centre users and the conditions under which we process the users’ Personal Data to maintain our security processes and Access Controls. We are making available to the data centre users the means to inquire about what Personal Data of the user we process, and under certain circumstances, to provide us instructions on how the user wants us to process this data, including its deletion.
How can my company document Digital Realty's commitment to the GDPR?
Digital Realty offers a Data Processing Agreement (DPA) to customers that rely on our data center services. This short document is tailored to the services Digital Realty provides. We respect our customers' requirements to appoint only processors who can provide sufficient assurances that the requirements of the GDPR will be met and the rights of data subjects protected. The DPA can be found here.
Is Digital Realty a Data Controller or a Data Processor of its customer's data under the GDPR? What about data that Digital Realty customers store on servers in Digital Realty buildings?
The answer depends on the context of the Personal Data being processed and the associated purpose.
Within the context of our requirement to maintain the security and confidentiality for our data centres and websites, we process Personal Data as a Data Controller.
Similarly, within the context of managing our business, including communicating with customers, vendors, and other third parties, we process Personal Data as a Data Controller.
It is only when we are contracted to deliver Remote Hands services specifically involving the physical handling of electronic media or hardware, such as hard disk drives, SSDs, and back-up tapes which may contain Personal Data that we may be considered a Data Processor of our customers’ data.
Do Digital Realty‘s European data centre activities involve the transfer of Personal Data outside of the European Union (EU)?
As a Data Controller, Digital Realty processes Personal Data both in the European Union and in the United States. There are times when Digital Realty transfers Personal Data between the EU and other countries. We will engage in such transfer only when we can meet the requirements set forth in the GDPR. Digital Realty maintains compliance under the GDPR for transfers to the US and otherwise outside of the EU on the basis that (i) for internal transfers, Digital Realty affiliated entities will have signed intra-company agreements known as the ‘Model Clauses’ which are approved by the EU authorities for intra-company transfers, and (ii) for transfers to third parties outside of the EU, we will have Data Processing Agreements with our Data Processors requiring appropriate compliance and adherence to applicable standards to international transfers, such as through Privacy Shield.
Note that Digital Realty does not transfer Personal Data outside of the EU when it delivers services (i.e., Remote Hands) as a Data Processor.
As an individual, how do I make a request for access to the Personal Data Digital Realty may hold?
We have a form available online for individuals to submit inquiries about their Personal Data that we may hold. We are committed to addressing those inquiries within 30 days of receiving them. However, given the limited data set we maintain, “John Smith” in Dublin can look a lot like “John Smith” in London or “John Smith” in Dallas. Before we can fulfill a data request, we will need to verify the identity of the individual inquiring and may request additional information to validate the identity of the requestor.
We will do our best to provide information as required under the GDPR, however, we can only provide Personal Data that directly matches the authenticated information that has been provided. To prevent the sharing of Personal Data with the wrong individual, we will not be able to locate or share information under different names, email addresses, or other divergent identifiers.
For how long does Digital Realty retain Personal Data?
We retain Personal Data for no longer than is necessary either to comply with statutes and regulations, or legal orders as directed by a judicial authority, or to comply with contractual requirements. Digital Realty has established and adheres to retention schedules for Personal Data.
In general, we retain data centre Access Control data, including access log records, for 24 months unless prohibited by law and video recordings for up to 93 days unless prohibited by law.
Does Digital Realty share the Personal Data of individuals with other organisations?
Yes, Digital Realty shares Personal Data in several Access Control scenarios including:
Personal Data collected for the purpose of validating the permission of individuals to access our buildings is shared with our vendors to administer our physical security program.
Personal Data collected for the purpose of fulfilling customer-generated work-orders and associated tickets, and addressing issues and answering questions from our customers, is shared with our vendors for facilities maintenance and operations as well as our customer service support vendor whose call-centre is located in the Philippines.
Acting as Data Processors in the capacities described above, our vendors are equally committed to the protection of the data privacy rights as documented through Data Processing Agreements.
Additionally, we share the Access Logs and similar reports containing the Personal Data of individuals granted access to our customers’ controlled areas with the relevant customers. We may also share CCTV recordings with law enforcement agencies and customers involved in certain investigations.
Who can I contact if I have any additional questions on the GDPR and Digital Realty’s privacy practices?
We will answer your questions as soon as possible.
Where is Digital Realty’s glossary of GDPR terms?
We have definitions, including for many of the terms referenced in this FAQ, in the Definitions section at the end of our Notice of Privacy Practices.