General Data Protection Regulation (GDPR)
Revised Monday, September 27, 2021
The General Data Protection Regulation (GDPR) is a European data protection regulation adopted by the EU Commission. It replaced the EU Data Protection Directive, also known as Directive 95/46/EC. The GDPR became effective on May 25, 2018 and applies to both individuals and businesses. It regulates the way in which personal data of citizens in the European Union should be handled.
We would like to provide you with answers to some of the questions that we hear time and time again from our customers. We also want to provide an update on what Rackspace Technology has done to comply with GDPR and what services we offer to our customers to help them meet their compliance obligations. We recommend that you seek your own legal advice to determine exactly how the GDPR and Brexit impacts your business.
FAQs about GDPR
Is Rackspace Technology a controller or a processer of Customer Data?
Under the GDPR, a “controller” determines why and how personal data is processed. A “processor” processes personal data on behalf of the controller. Generally, Rackspace Technology has limited knowledge of the data that our customers process via the hosting infrastructure or customer configuration (“Customer Data”). In addition, we only process Customer Data in accordance with our customer’s instructions. Therefore, Rackspace Technology is a processor or sub-processor of Customer Data.
Will GDPR change the way Rackspace Technology treats customer data?
Rackspace Technology continues to treat Customer Data with the required level of sensitivity and confidentiality. Learn more about our security practices.
Rackspace Technology will continue to take appropriate steps to ensure that we do our part to comply with the relevant provisions in the GDPR.
Under GDPR, can an EU customer continue to host personal data outside of the EU/EEA?
Provided certain legal mechanisms are in place, EU customers can host personal data outside of the EU. Personal data may be transferred outside of the EU and the EEA when an adequate level of protection for that data is guaranteed.
To help achieve this level of protection, Rackspace Technology has taken the proactive step of including a Data Processing Addendum that incorporates the applicable Standard Contractual Clauses into our Master Services Agreement. Compliance with data protection laws, however, is a shared responsibility which is why we generally require our customers to secure and encrypt in transit and at rest certain data stored on or transmitted using Rackspace Technology services. We also require customers to take suitable steps to otherwise prevent Rackspace Technology’s ability to access certain data where our access to the premises, systems, or networks owned or operated by the customer may result in its exposure.
Won’t I be in breach of the data protection laws if Rackspace Technology transfers my personal data outside the EU/EEA?
The current laws allow Rackspace Technology to process personal data and therefore support your services from outside the EEA if there are adequate transfer protections in place. Compliance with relevant data protection law, however, is a shared responsibility as addressed in our Master Services Agreement.
Can you keep my data in the EU only?
Rackspace Technology is able to offer around-the-clock support by operating a 24/7 “follow the sun” model that leverages our support engineers in countries where we operate. This means that although we will not physically move your personal data into another jurisdiction without your consent, sometimes we will need to provide you with support from outside the EU.
Will the Data Protection laws/GDPR apply when Britain leaves the EU?
The key data protection law on EU data transfers is the GDPR. The Information Commissioners Office (ICO) has provided specific guidance on data protection in relation to Brexit and we would strongly recommend customers reviewing the ICO’s guidance. This guidance is available at: https://ico.org.uk/for-organisations/data-protection-and-brexit/ In June 2021, the European Commission adopted two adequacy decisions for transfers of personal data to the United Kingdom. These decisions allow the free movement of data between the EEA and the UK. For further information, please see: https://www.gov.uk/government/news/eu-adopts-adequacy-decisions-allowing-data-to-continue-flowing-freely-to-the-uk International data transfers with our customers are dealt with by our data processing addendum, which is available at: https://www.rackspace.com/information/legal/dataprocessingaddendum_MC The addendum sets out the transfer protections that apply to the transfer of data outside the EEA in accordance with the guidance from the ICO.
Do you have other data centers within the EU where I can store my data?
Yes, Rackspace Technology has other data centers in other countries, including Germany, to provide our customers additional options for an EU footprint.
I heard that the European Court of Justice recently invalidated the EU-US Privacy Shield Framework. How does that impact my existing agreement with Rackspace? How do I get a version that removes the Privacy Shield and includes the updated Standard Contractual Clauses that were adopted in June 2021? Customers who need to incorporate the revised provisions into their agreement can do so by following the instructions here.
What services does Rackspace Technology offer to help me comply with GDPR?
First, review the GDPR to determine whether it applies to your organization. If GDPR applies, make sure that you implement appropriate technical and organizational measures to ensure and demonstrate that any data processing is performed in compliance with GDPR.
Please feel free to reach out to a representative at Rackspace Technology so that we can help tailor a solution to fit your business needs. While we cannot ensure that your company is GDPR-compliant, we do offer many products and services that can help you meet some of the GDPR requirements. You should always work with a legally qualified professional to discuss GDPR, how it applies specifically to your organization and how best to ensure compliance.
How do I update my current agreement with Rackspace Technology in light of GDPR?
We have a new Data Processing Addendum that will meet the requirements of the GDPR. Customers who need to incorporate GDPR provisions into their agreement can do so by following the instructions here.
Information about security products that we offer: https://www.rackspace.com/security