General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) is a European data protection regulation adopted by the EU Commission. It replaced the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR became effective on May 25, 2018 and applies to both individuals and businesses. It regulates the way in which personal data of citizens in the European Union should be handled.
We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what Rackspace Technology has done to comply with GDPR and what services we offer to our customers to help them meet their compliance obligations.
FAQs about the upcoming General Data Protection Regulation (GDPR)
Is Rackspace Technology a controller or a processer of Customer Data?
Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Rackspace Technology has limited knowledge of the data that our customers process via the hosting infrastructure (“Customer Data”). In addition, we only process Customer Data in accordance with our customer’s instructions. Therefore, Rackspace Technology is a processor or sub-processor of Customer Data.
Will GDPR change the way Rackspace Technology treats customer data?
Rackspace Technology continues to treat Customer Data with the required level of sensitivity and confidentiality. Learn more about our security practices.
Rackspace Technology will continue to take appropriate steps to ensure that we do our part to comply with the relevant provisions in the GDPR.
Under GDPR, can an EU customer continue to host personal data outside of the EU/EEA?
Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.
To help achieve this level of protection, Rackspace Technology has taken the proactive step of including a Data Processing Addendum that incorporates the applicable Standard Contractual Clauses into our Master Services Agreement. Compliance with data protection laws, however, is a shared responsibility which is why we require our customers to secure and encrypt in transit and at rest certain data stored on or transmitted using Rackspace Technology services. We also require customers to take suitable steps to otherwise prevent Rackspace Technology’s ability to access certain data where our access to the premises, systems, or networks owned or operated by the customer may result in its exposure.
Won’t I be in breach of the data protection laws if Rackspace Technology transfers my personal data outside the EU/EEA?
The current laws allow Rackspace Technology to process personal data and therefore support your services from outside the EEA if you have given us your consent, data is transferred to a non-EU jurisdiction deemed by the European Commission to offer an adequate level of protection for personal data, or the transfer is subject to the Standard Contractual Clauses. Compliance with relevant data protection law, however, is a shared responsibility as addressed in our Master Services Agreement.
Can you keep my data in the EU only?
Rackspace Technology is able to offer around-the-clock support by operating a 24/7 “follow the sun” model that leverages our support engineers in countries where we operate. This means that although we will not physically move your personal data into another jurisdiction without your consent, sometimes we will need to provide you with support from outside the EU.
Transfers of personal data originating from other locations globally to Rackspace Technology affiliates are subject to the terms of the Intra-Company Data Processing Agreement which requires all transfers of personal data to be made in compliance with applicable Rackspace Technology security and data privacy policies and standards.
Will the Data Protection laws/GDPR apply when Britain leaves the EU?
The U.K. legislation on data protection is derived from the EU Directive on data protection. The new Data Protection Act 2018, which is effective from May 25, 2018, replaces the Data Protection Act 1998 and incorporates GDPR into UK law. The purpose of the new Act is to ensure that the U.K. and EU data protection regimes are aligned after the U.K. leaves the EU.
Do you have other data centers within the EU where I can store my data?
Yes, Rackspace Technology has other data centers in other countries, including Germany, to provide our customers additional options for an EU footprint.
I heard that the European Court of Justice recently invalidated the EU-US Privacy Shield Framework. How does that impact my existing agreement with Rackspace Technology?
We have a new Data Processing Addendum that removes the previous references to the Privacy Shield and includes the Standard Contractual Clauses. Customers who need to incorporate the revised provisions into their agreement can do so by following the instructions here.
What services does Rackspace Technology offer to help me comply with GDPR?
First, review the GDPR to determine whether it applies to your organization. If GDPR applies, make sure that you implement appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR.
Please feel free to reach out to a representative at Rackspace Technology so that we can help tailor a solution to fit your business needs. While we cannot ensure that your company is GDPR-compliant, we do offer many products and services that can help you meet some of the GDPR requirements. You should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance.
How do I update my current agreement with Rackspace Technology in light of GDPR?
We have a new Data Processing Addendum that will meet the requirements of the GDPR. Customers who need to incorporate GDPR provisions into their agreement can do so by following the instructions here.
Information about security products that we offer: https://www.rackspace.com/security
Fanatical Support for AWS customers can access Amazon’s EU Data Protection information here: https://aws.amazon.com/compliance/eu-data-protection/
GCP customers can find answers about the Google Cloud here: https://www.google.com/cloud/security/gdpr/
Fanatical Support for Azure customers can find additional information here: https://www.microsoft.com/en-us/TrustCenter/Privacy/gdpr/default.aspx