Earning trust through principled privacy operations and transparency.

pad of paper with keyhole cut out

NetApp and the GDPR

The European Union’s General Data Protection Regulation (GDPR) is the broadest reaching global regulation that addresses safeguarding the rights of individuals with respect to their digital privacy. The extraterritorial nature of the GDPR is felt globally, with heavy fines possible for failing to comply.

What Is the GDPR?

The General Data Protection Regulation (GDPR) is a comprehensive data privacy regulation designed to harmonize data privacy laws across Europe. The GDPR is a principles-based pan-European regulation that puts specific obligations on data controllers and processors, provides enumerated rights to data subjects, provides for remedies and penalties, and creates a common administrative oversight framework.

NetApp and GDPR

As a global leader in data management and cloud data services, NetApp understands data privacy. Privacy is one of the primary drivers of safeguards in a data-driven world, and as the data authority in the hybrid cloud, we maintain a comprehensive strategy and commitment to GDPR compliance. We operate under corporate policies, procedures, and standards designed to protect your privacy and offer technology that empowers you to protect the privacy of your employees, partners, and customers. This includes our Binding Corporate Rules, Privacy Principles, Code of Conduct, and comprehensive data governance processes.

Additionally, we are invested in our customers’ success under the GDPR and strive to provide products, features, functionality, and an understanding of customer requirements that will empower our customers to implement their own GDPR compliance programs. Whether you are a data controller or data processor, NetApp solutions and services can provide the tools necessary to implement programs instrumental to GDPR compliance. These include backup and recovery solutions, data availability, metadata tagging for tracking personal information , or even identifying personal information existing in your cloud environment.

Frequently Asked Questions

How does NetApp manage personal information in light of the GDPR?

Like most companies, NetApp has access to a variety of personal information, collected in a number of different contexts. Depending on the context of collection, NetApp may be a controller, a processor, or a subprocessor of that personal data. Depending on our role as controller or processor of such data, we are required under the GDPR to provide data subjects and processors with information about how we collect and use their personal information. We do this in our Privacy Policy and through internal processes and policies relating to our treatment of the personal information of employees and contracted personnel.

Our Privacy Policy provides our policies and practices for collecting and processing the personal information of our customers, partners, and stakeholders. Under the GDPR, cookies, web beacons, and other online identifiers may be considered personal information so we also include a Cookie Policy.

Using NetApp products and services under the GDPR

NetApp offers a host of products and services, with features and functionalities designed to either comply with the GDPR or give you options on how you can implement them to comply. For example, the GDPR provides restrictions and conditions on cross-border data transfers. If a customer makes a determination that its data cannot leave a given jurisdiction, NetApp offers products and services you can implement so that customer data will only be processed within the designated region.

However, some of our products and services require the transmission of customer data out of a given jurisdiction, including outside the European Economic Area. Where such cross-border transmissions occur, we have put in place GDPR-compliance measures. For example, NetApp Binding Corporate Rules help protect personal information or data processing agreements, including standard contractual clauses governing the secure cross-border transfer of data. We also make clear in our Privacy Policy and our product and services terms when such cross-border transfers are necessary to provide NetAPP products or services, and customers are encouraged to take this information into account when determining the best solution for their data governance needs.

When we use subcontractors to process data as part of our services, we put comprehensive data processing agreements in place with these subprocessors and impose on them data protection obligations that are at least as protective as those set forth in our own customer agreements. We agree in our contracts to be liable for our subprocessors to the same extent as if we were processing the data, and we maintain a subprocessor list (login required) that is available to our customers.

Does NetApp make commitments to customers regarding the GDPR?

Yes. Our commitments to compliance with the GDPR are available in a number of our customer contracts, such as our Customer Data Processing Addendum, which includes the Standard Contractual Clauses provided by the European Commission. We also make these commitments in our Privacy Policy, backed by the core values set out in our corporate Code of Conduct.

Can NetApp help me comply with the GDPR?

Every entity is different in its products, services, operations, risk profile, and preferences. Therefore, you need to work with your legal and business advisors to determine the best strategy for your company to comply with the GDPR.

Once you have that strategy, NetApp provides a variety of products and services with tools that can help implement that strategy and be used in your privacy operations and GDPR compliance program. These include the Cloud Compliance service to help you identify certain personal information present in your data, NetApp SnapCenter technology to support backup and recovery, and NetApp FPolicy for privacy operations and policy enforcement.

A comprehensive GDPR compliance program, however, is dependent on the type and nature of personal data that is collected, the purpose and use of such data, and the operational capabilities and risk tolerances of the company. No two entities are alike. NetApp strives to provide all our customers with tools and capabilities to empower them in their efforts, regardless of the scope and nature of their GDPR compliance programs.

light green abstract shape on green background

Understanding binding corporate rules

NetApp’s approach to global data privacy laws and the movement of data across national borders

Learn more

light yellow paper airplane on yellow background

Cross-Border data transfers

NetApp managing data across global infrastructure

Learn more

purple 3D hexagon on background

NetApp general terms and conditions

Terms, conditions, and other information related to the use of NetApp products and services

Learn more
White blocks

NetApp subprocessor list

A list of subprocessors of personal information under our Customer Data Processing Addendum.

Learn more
white clouds on blue backgound

NetApp cloud compliance

Support compliance with the GDPR, the California Consumer Privacy Act (CCPA), and other data privacy regulations through personal information discovery and management.

Learn more
pink shelves

European commission standard contractual clauses

The European Commission’s guidance on the use and terms of Standard Contractual Clauses addressing the processing and transfer across borders of personal information

Learn more