Menu

Cross-border data transfers

A shield with a checkmark on a green background

January 2021

The EU General Data Protection Regulation (GDPR) restricts the transfer of personal information outside of the European Economic Area except in cases where adequate protections are in place for the sufficient protection of personal information. As both a global enterprise and multinational company, NetApp recognizes the need to provide adequate levels of data protection to ensure that personal information is protected when transferred across borders, and has put in place a number of measures to meet GDPR requirements.

Read NetApp’s response to the ruling by the Court of Justice for the European Union that invalidated the EU-U.S. Privacy Shield for the transfer of data out of the EU.

Modern global enterprises expect information to be available regardless of where they are, where their workforce is, and where their customers are. Everything from human resources to product development and transportation is data-driven, and the ability to confidently transfer data between geographies is imperative for building and maintaining a global business. When the data being transferred is personal information, however, safeguards must be in place to ensure that the privacy of the data subject—the person whose data is being transferred—is sufficiently protected.

More than 100 countries have data protection laws. Although many of these laws share common principles, their requirements vary for cross-border data transfers. For example, under the GDPR, personal information is not permitted to be transferred outside of the EU unless certain conditions are met. Other laws, such as restrictions on the transfer of personal information collected by government agencies or related to an individual’s health or finances, may impose additional conditions or restrictions.

Why cross-border data transfers matter

The primary reason that people are concerned about data location is that it relates to which government has the right to make legal decisions and judgments regarding access to the data—what lawyers refer to as “jurisdiction.” International legal rules regarding jurisdiction are based on an underlying recognition of a nation’s sovereignty and often involve complex rules of interpretation when dealing with international transactions. Questions of jurisdiction are particularly concerning when dealing with individual rights of data privacy, because different jurisdictions recognize and enforce individuals’ rights regarding their personal data in different ways.

For example, in Europe, the GDPR restricts moving personal information outside of the European Economic Area except under certain circumstances. These circumstances include an adequacy decision by the European Commission that the receiving country has implemented adequate legal protections of personal data. The GDPR anticipated that countries outside the European Union may not be willing or able to change their laws for the purpose of meeting Europe’s privacy requirements. Therefore it has provided other options for cross-border data transfers, whereby individuals can rely on the private law of contracts to ensure that their personal information is adequately protected. For entities operating in those countries that don’t have an adequacy decision, the GDPR permits cross-border transfers when the entity that is transferring the data is subject to Binding Corporate Rules or when the contracts for the treatment of such data include Standard Contractual Clauses.

How NetApp addresses cross-border data transfers

As a global company operating throughout the world, NetApp has long recognized the need for the responsible transfer of data across borders, and whatever your data residency requirements are, NetApp has you covered. 

With headquarters in California, we are not eligible to rely on an adequacy decision by the European Commission. Instead, we place our commitments to protect personal information in our Binding Corporate Rules (BCRs). In fact, NetApp was one of the first companies to have our BCRs approved by our supervisory authority in the Netherlands. We have updated our BCRs to reflect the requirements of GDPR and we are currently awaiting their approval.

Additionally, we provide Standard Contractual Clauses as part of our Customer Data Processing Addendum as further assurance for how data is transferred as part of processing activities. Each of these clauses is backed by administrative, technical, and operational safeguards that are regularly assessed for compliance.

Where NetApp processes personal information

NetApp processes personal information in its role as either a controller or a processor as those terms are defined in the GDPR. Information on the contexts in which NetApp is a controller or processor can be found in our Privacy Policy. Where NetApp is a controller of personal information, we can transfer that data to any of our corporate locations worldwide. Where NetApp is a processor of personal information, we process that information only in the following countries: Canada, Hong Kong, Iceland, India, Israel, the Netherlands, and the United States. Our BCRs and Customer Data Processing Addendum cover our operations across these jurisdictions, even when our operations are in countries within the scope of the GDPR or have been found to have adequate protections under the GDPR.

Frequently asked questions

What if I need company data to stay in a specific country?

Some types of personal information, such as information collected by a government on its citizens, may have additional restrictions on movement across borders. As a global leader in storage across platforms, NetApp offers many solutions that can meet even the most stringent requirements for data residency. Customers can choose between the industry’s broadest portfolio of all-flashhybrid-flash, and object storage systems for a variety of on-premises storage solutions.

More information