The commitments we make in our BCRs
We commit to complying with applicable laws in our treatment of personal information. Although this seems simple, any of us who have had to manage huge troves of data know that a lot goes on behind the scenes to make such a broad commitment. The BCRs commit NetApp to our Privacy Principles and to the authority of the Dutch SA.
NetApp takes security seriously. Really seriously. We know that you are trusting us with your most valuable asset—your data. The BCRs commit NetApp to technical, organizational, and administrative policies, procedures, and controls designed to protect the confidentiality, integrity, and availability of personal information in accordance with GDPR requirements. But our commitment to security is not just captured in our BCRs—we also commit to security practices through our contracts and service level commitments. Additionally, NetApp security is more than a static commitment—we maintain a dynamic security process, evolving to meet the ever-changing threat landscape.
We make it easy for data subjects to exercise their rights under the GDPR, file a complaint about our privacy practices, and get answers to questions about how we manage personal information. You can initiate a request by sending email, sending letters through the postal service, or by calling 1 877 263 8277. Or, just contact your local NetApp office and they'll put you in touch with the right team to help.
NetApp BCRs commit us to when, how, and why we transfer personal information across borders. Most of our cross-border transfers are related to how we share information about our employees in order to provide corporate services for our global workforce. However, our BCRs also bind us to when, how, and why we transfer information about our partners and customers. For example, they bind us when we send information to a payment processor to fulfill an order, send information to our security teams to verify the operational security of our cloud services, or even coordinate with any recipient of personal information to fulfill a data subject request under the GDPR.
NetApp also commits to protecting data when it is transferred to any third party, regardless of location. Our security commitments cover all of our practices, including the movement of information across borders. We have policies and processes to vet our supply chain, helping to make sure that we know who we're doing business with and that we can trust them with personal information. In addition to this vetting process, we also have policies and processes in place that include standard contractual clauses in our service provider contracts, which help ensure that we can enforce our high standards for privacy and data security.
Sensitive personal information
NetApp commits to restricting access to sensitive personal information, which includes information about a person's racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, medical history, sexual orientation, and criminal convictions. For the most part, NetApp commits to not collecting this data. Of course, if the collection of the data is necessary—for example, some laws require us to collect and analyze sensitive personal information to comply with anti-discrimination laws—then it is collected, maintained, and disposed of under the applicable standards and with clear disclosures.
Like most companies, NetApp creates and shares marketing materials to inform our customers and potential customers of our products and services. Our BCRs ensure that you can always opt out of receiving these marketing communications without cost or penalty.
We hold ourselves accountable to these commitments through regular audits. NetApp was also one of the first U.S. companies to go through the comprehensive process of having the Dutch SA review and approve our BCRs. NetApp cooperates closely with our supervisory authority to help ensure a common culture and understanding around the policies, practices, and controls relating to our customers’ privacy. We provided our most recent updates in April 2019, and we continue to work with the Dutch SA as we develop our processes and BCRs to meet changing laws and our evolving understanding of privacy.