General Data Protection Regulation
Keboola takes the security of your data and our infrastructure very seriously.
We are committed to providing an environment that is safe, secure, and available to all of our customers.
Version 2.2, last Updated: March 20th, 2018
Passed in 2016, the new General Data Protection Regulation (GDPR) is the most significant legislative change in European data protection laws since the EU Data Protection Directive (Directive 95/46/EC), introduced in 1995. The GDPR, which becomes enforceable on May 25, 2018, seeks to strengthen the security and protection of personal data in the EU and serve as a single piece of legislation for all of the EU. It will replace the EU Data Protection Directive and all the local laws relating to it.
We support the GDPR and will ensure all Keboola services comply with its provisions by May 25, 2018. Not only is the GDPR an important step in protecting the fundamental right of privacy for European citizens, it also raises the bar for data protection, security and compliance in the industry.
1. What is Keboola’s role under GDPR?
We act as both a data processor and a data controller under the GDPR.
Keboola as a data processor:
When customers use our products and services to process EU personal data, we act as a data processor. For example, we will be a processor of EU personal data and information that gets uploaded into a Keboola Connection. This means we will, in addition to complying with our customers' instructions, need to comply with the new legal obligations that apply directly to processors under the GDPR.
Keboola as a data controller:
We act as a data controller for the EU customer information we collect to provide our products and services and to provide timely customer support. This customer information includes things such as customer name and contact information.
2. What have we done to comply with GDPR?
We have conducted an extensive analysis of our operations to ensure we comply with the new requirements of the GDPR. With the help of external advisors, we have reviewed our products and services, customer terms, privacy notices and arrangements with third parties for compliance with the GDPR. We can confirm we will be fully compliant with the GDPR by May 25, 2018.
3. What personal data do we collect and store from our customers?
We store data that customers have given us voluntarily. For example, in our role as data controller, we may collect and store contact information, such as name, email address, phone number, or physical address, when customers sign up for our products and services or seek support help. We also may collect other identifying information from our customers, such as IP address, SSH keys or Oauth tokens for external services.
We separately act as a data processor when customers use our products and services to process EU personal data, such as uploading personal data to a Keboola Connection. Customers decide what personal data, if any, is uploaded to our products and services.
4. What is the Keboola Data Processing Addendum?
Customers that handle EU personal data are required to comply with the privacy and security requirements under the GDPR. As part of this, they must ensure that the vendors they use to process the EU personal data also have privacy and security protections in place. Our Data Processing Addendum outlines the privacy and security protections we have in place. We are committed to GDPR compliance and to helping our customers comply with the GDPR when they use our services. We have therefore made our Data Processing Addendum available to all our customers and it can be found here: Keboola Data Processing Addendum.
5. Has Keboola appointed a Data Protection Officer?
Because the processing of personal data actually performed by Keboola personnel is relatively limited compared to the significant amount of data and technical capacities at its disposal, Keboola is not obliged to appoint a DPO as defined in Art. 37 GDPR. This was confirmed by external legal counsel and validated by the Data Protection Authority. However, Keboola has appointed a Privacy Officer, who oversees Keboola Privacy Management system and serves as an escalation point for all privacy-related requests, inquiries, and complaints. You can contact the Keboola Privacy Officer at firstname.lastname@example.org.
6. How can customers enter into a Data Processing Addendum with Keboola?
The Keboola Data Processing Addendum is available on a self-service basis for customers that are processing personal data on Keboola.
Customers can obtain the Data Processing Addendum here.
For the Keboola Data Processing Addendum to be effective, customers must following the instructions provided on the cover page of the Addendum.
7. Can a customer share the Keboola Data Processing Addendum with its customers?
Yes. The Data Processing Addendum is a publicly available document and customers who wish to share it with their customers to confirm our security measures and other terms may feel free to do so.
8. Do customers need to notify anyone upon accepting our Data Processing Addendum?
No. You are not required to notify us or any third party upon accepting our Data Processing Addendum though, as mentioned above, you are free to do so.
9. Are there unique Data Processing Addendum needs for individual countries?
The GDPR applies to all of the EU and we offer a Data Processing Addendum that is compliant in all EU countries.
10. Do we transfer data internationally?
The GDPR replicates the Data Protection Directive restrictions on transferring data outside the EU and prohibits the export of personal data outside of the EU to non-EU recipients unless the export meets certain criteria.
Although we are headquartered in the European Union, Keboola has offices, data centers and customers also outside the EU. In certain circumstances, we will process personal data that originates from the EU in the United States, on servers controlled by Keboola EU headquarters. We provide a level of protection of privacy that complies with the EU rules. Personal data are never transferred to non-EU subjects for further processing, unless specifically requested by you.
11. How do we handle delete instructions from customers?
Customers have the ability to remove or delete information they have uploaded to our products. Likewise, customers may deactivate their account and request that all personal data we have collected and stored is deleted. Read our documentation (Project Deletion) for further instructions.
12. How can a customer view and download content from our services and transfer it to another provider?
If you need to access and download content from your Keboola Connection project, we have a number of different resources available to make this as easy as possible. The information can be found here: Data Takeout