Privacy: Data privacy principles and compliance

June 2021

Technology has transformed how we live our lives and do business. We meet, shop, and are entertained online, all through the digitization of workflows, supply chains, and media. With each new transaction, data is generated, creating a digital identity that roams the internet. But just as we wouldn’t wander the physical world without protecting ourselves, we need to protect our digital identities.

Global data privacy laws make specific yet diverse demands on companies that handle personal information, including the data used to build digital identities. As the data authority in the hybrid cloud, NetApp has a long-held commitment to the privacy rights of every NetApp user. Our comprehensive approach gives our customers control over the collection, use, and storage of their data. We maintain corporate policies, procedures, and standards designed to protect data privacy rights. We offer technology that empowers customers to protect the privacy of their employees, partners, and customers and to comply with the many data protection laws worldwide.

Data privacy at NetApp begins with our Privacy Principles, grounded in our Code of Conduct and supported by contractual commitments and Binding Corporate Rules. Our principles are built on generally accepted privacy principles, such as transparency, legal compliance, security safeguards, and accountability. These principles govern how our products and services manage and protect personal data. We strive for transparency in addressing how data is moved across borders and in the service controls we use to ensure that our commitments are met.

Data privacy and protection are grounded in fundamental principles that are the foundation of global privacy laws. By design, NetApp’s products and services abide by data protection and privacy laws and regulations, such as the GDPR and CCPA.

NetApp’s privacy principles, grounded in our Code of Conduct and backed by our Binding Corporate Rules and contractual commitments, govern how our products and services manage and protect personal data. NetApp based them on the fundamental principles of such data privacy laws as the GDPR, and aligned them with principles set forth by such organizations as the Organization for Economic Co-operation and Development (OECD). By focusing first on the basic principles of data privacy, NetApp has designed a privacy program that scales to meet the evolving global legal environment.

NetApp commits to the common principles of data privacy and protection in Binding Corporate Rules (BCRs). Our BCRs define our corporate approach to handling personal information, and they specifically govern how data is moved across borders, including the transfer of data from the EU to other countries.

BCRs require the support of a comprehensive data privacy and security program, from policies and training to governance and audits. When the GDPR came into effect, we amended our BCRs to address GDPR requirements for NetApp as a controller, and filed new BCRs for our activities as a processor of customer data.

The California Consumer Privacy Act (CCPA) addresses the rights of California residents (known as consumers in the law) to control their personal information. The California Privacy Rights Act (CPRA), which will take effect in January 2023, expands individual rights for consumers, including the creation of a new category of sensitive personal information. It also creates new obligations for entities that process personal information.

Many of the requirements of both laws share underlying principles with the GDPR, and NetApp practices for GDPR compliance are also implemented to comply with the CCPA and the CPRA. However, there are noticeable differences in some of the required disclosures that are captured in our Privacy Policy.

Features in NetApp products and services either have built-in functionality or enable configurations that empower our customers to comply with both California laws. For example, consumers’ rights to access, delete, and modify the information that NetApp has collected can, in some cases, be through self-service access to NetApp services. 

Data privacy is one of the primary drivers of safeguards in a data-driven world, and as the data authority in the hybrid cloud, we maintain a comprehensive GDPR compliance strategy. NetApp offers a robust set of products and services, with functionalities designed to either comply with the GDPR or give customers options for how to implement them to comply. For example, the GDPR includes restrictions and places conditions on cross-border data transfers. If a customer determines that its data cannot leave a given jurisdiction, NetApp enables features to help ensure that data is processed only within the designated region.

Modern global enterprises expect data to be available no matter where they are, where their workforce is, or where their customers are. The ability to confidently transfer data between geographies is imperative for building and maintaining a global business. When the data being transferred is personal information, however, extra safeguards must be in place to ensure that the privacy of the subject of the data is sufficiently protected.

NetApp products and services offer many options for protecting data privacy and managing its geographic location. We place our commitments to protect personal information in our Binding Corporate Rules, which we have updated to reflect GDPR requirements. Additionally, we provide Standard Contractual Clauses as further assurance for how data is transferred. Each of these clauses is backed by administrative, technical, and operational safeguards that are regularly assessed for compliance.