LogMeIn and the EU General Data Protection Regulation (GDPR)
As a global company with customers in nearly every country in the world, protecting the personal data of our customers and their end-users continues to be a priority. In 2016, the European Union approved a new privacy regulation called the General Data Protection Regulation (GDPR), which is a mandatory ruling that applies to companies that collect the data of EU citizens.
Taking effect on 25 May 2018, the GDPR is gaining an increased focus from savvy customers, world leaders, the privacy community, and global corporations, like LogMeIn, alike. We know proper implementation involves cross-functional efforts across any organization, so we have assembled a core team with members from product, security, legal, IT, and data to drive the compliance initiative. This team is working with stakeholders in every impacted function to review all products, operations, and vendors and ensure adequate compliance positions are achieved company and system-wide. Further, we are also working with outside consultants and attorneys, and leveraging third party compliance tools and software to make sure that LogMeIn is tracking toward the project deadline and that our efforts capture the necessary scope of compliance. Based on the work to date, we are confident that we will be GDPR-compliant well ahead of the May 2018 deadline.
Generally speaking, GDPR does not introduce significant new requirements to LogMeIn’s security and privacy practices and principles. Thus, our ongoing compliance review and actions build on our existing investments in privacy, security, and operational processes necessary to meet the requirements of GDPR and other applicable regulations. Some ways in which we currently provide customers with assurances with respect to the transfer of their personal data are by:
- Data Security: LogMeIn maintains rigorous technical and organizational security practices and measures both in how we handle customer Content (as this term is defined in our Terms of Service), but also in the capabilities our services and products provide to assist you in safeguarding your information. To learn more about how we do this, please visit the applicable service or product website and check out the “Support” or “Resources” section.
- Data Processing Addendum (EU Standard Contractual Clauses): We have long offered customers a Data Processing Addendum, which incorporates the EU Standard Contractual Clauses (“SCCs”, also known as the EU Model Clauses) and includes LogMeIn’s Technical and Organizational Data Security Measures. The SCCs are time-tested and continue to be a valid and recognized legal mechanism for ensuring that any personal data leaving the European Economic Area will be transferred in compliance with EU data-protection laws. LogMeIn continues to maintain the operational processes necessary to meet the stringent SCC requirements for the transfer of personal data to processors, which in turn allows us to provide our customers with contractual guarantees for the protection of their personal data.
- Privacy Shield: LogMeIn, Inc. and its wholly owned subsidiary, GetGo, Inc., participate and are self-certified in the EU-U.S. Privacy Shield Framework and Swiss Privacy Shield regarding the collection, use, transfer, and retention of personal information from European Union member countries and Switzerland. Our compliance with this voluntary framework reflects our commitment to maintaining the highest standards of privacy and data security when it comes to our customers’ data. As such, Privacy Shield certification is but one additional means for customers to have confidence in LogMeIn’s practices regarding their data. Find out more here.
For more information, please see the following frequently asked questions.
Q) As a US company, does LogMeIn need to follow the GDPR?
A) Yes. We have many customers in the EU which means the GDPR applies equally to us, and we will, therefore, adhere to the new regulations no later than 25 May 2018.
Q) I’ve read of ‘data controllers’ and ‘data processors’. What’s the difference and which one is LogMeIn?
A) A Data Controller is the owner of the information and decides how that information should be used. A Data Processor is a service provider who carries out instructions of the Controller with regard to the data. Generally speaking, our customers will be the Controllers of data they place in our systems, and LogMeIn will be the Processor on their behalf. In some limited instances, such as when we collect data from a customer in order to create an account, LogMeIn will be the Controller. Formal definitions from the GDPR full text may be found here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Q) Does the GDPR stop a company from storing information outside of the EU?
A) No, there is nothing in the GDPR that prevents this, however all Data Processors must protect EU customer data appropriately, regardless of where it is stored.
Q) When do these regulations become “in force”?
A) 25 May 2018
Q) How will LogMeIn prepare for the “in force” date?
A) We’re approaching this with a combined product, security, legal, IT, and data team, together with outside data privacy experts and third party compliance tools to address policies, processes, products, and people. The teams have been documenting data use within products, locations of processing, and readying, revising, and implementing the necessary procedures and practices.