Data Transfers FAQs
Last Updated: 14 August 2024
These FAQs provide answers to common questions from our customers about our approach to data transfers and data protection.
Please note these FAQs do not constitute legal advice and are not intended to provide guidance on the necessary steps you should take to comply with your legal obligations.
Where does WatchGuard store personal data?
Our data centers are located in the USA, Germany, Ireland, Spain, and Japan and operated by WatchGuard Technologies, Inc., our subsidiaries such as Panda Security, S.L.U, and our sub-processors AWS and Microsoft Corporation (Azure).
The location of data storage depends on the type of data and services used. For example, customers that use WatchGuard Cloud Services can choose to have their service derived data hosted within WatchGuard's European (Frankfurt), American, or Japanese AWS instance, while service derived data of customers using WatchGuard and Panda Endpoint Security Services is stored in Microsoft Azure instance in Ireland and our data center in Spain. Other types of data (such as, for example, general information about customer account in our CRM system and customers’ support cases) are stored in the U.S.
Where does WatchGuard process personal data?
Depending on products and services used, customer data may be processed in your region, in the United States or in any other country where we or our subsidiaries and service providers maintain facilities. For example, customer data with a storage location in Europe may be accessed by WatchGuard employees outside of Europe for the purposes of providing and supporting our products and services or as necessary to provide support or maintenance to our customers. Some of our service providers also process personal data outside of Europe.
Does WatchGuard comply with GDPR when processing data outside of Europe?
To ensure customer data continues to be protected to European standards, we rely on GDPR compliant data transfer mechanisms such as Data Privacy Framework and Standard Contractual Clauses.
Does WatchGuard offer a Data Processing Addendum ("DPA") to its customers?
Yes, WatchGuard offers a DPA which sets out the relevant obligations and commitments under which we process personal data in connection with our products and services. The DPA is automatically incorporated into our End User License Agreement ("EULA") which customers are required to accept before they can use our products or services. The DPA has been designed to ensure compliance with global privacy laws, including the EU General Data Protection Regulation ("GDPR") and California Consumer Privacy Act ("CCPA").
Which transfer mechanisms does WatchGuard provide in the DPA?
WatchGuard is headquartered in the United States. To the extent that we need to transfer our European customers' personal data outside the European Economic Area ("EEA"), United Kingdom ("UK"), and Switzerland (collectively, "Europe") for processing by WatchGuard, Inc. in the United States, we agree to comply with the following transfer mechanisms to ensure customer data continues to be protected to European standards:
- Data Privacy Framework - WatchGuard has self-certified to the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (collectively, the "DPF"), as set forth by the U.S. Department of Commerce, with respect to the processing of personal data received from Europe. We process European personal data in compliance with the DPF Principles. You can view our DPF certification on the Data Privacy Framework List. Please visit the "WatchGuard Joins Data Privacy Framework Program" blog article for more information.
- Standard Contractual Clauses - The DPA incorporates the 2021 Standard Contractual Clauses ("SCCs") for transfers outside the EEA and Switzerland, and the UK International Data Transfer Addendum for transfers outside the UK.
The DPF has been granted adequacy by the European Commission and UK authorities for transfers of personal data to the U.S. We intend to rely on the DPF for equivalent transfers from Switzerland once the Swiss Federal Administration officially recognizes the adequacy of the Swiss-U.S. Data Privacy Framework.
Which transfer mechanism prevails in the DPA?
In the first instance, we rely on the DPF. In the event the DPF does not for whatever reason cover the transfer, the SCCs will automatically apply as an alternative mechanism. This means customers have assurance that WatchGuard offers both the DPF and SCCs, which means that transfers may continue lawfully in the (hopefully unlikely) event the DPF is ever challenged.
How does WatchGuard's DPF certification benefit customers?
The DPF has an adequacy decision, which means that data exporters (like our customers) do not need to implement other safeguards (such as the SCCs) when transferring personal data to a DPF-certified organization (like WatchGuard, Inc.) in the U.S. Additionally, data exporters do not need to complete transfer impact assessments (TIAs) that are required when using other transfer mechanisms (like the SCCs), given the determination that the DPF offers an adequate level of protection for personal data.
How does WatchGuard provide adequate safeguards for other data transfers?
Where a transfer impact assessment (TIA) is required, such as under the SCCs, WatchGuard helps our customers conduct their own due diligence in connection with the use of our products and services. In doing so, we consider the European Data Protection Board ("EDPB") recommendations on data transfers, which state that organizations should take into account the specific circumstances of the transfer, the practical experience of the data importer, and the technical, organizational, and contractual measures.
We maintain appropriate technical and organizational measures to protect personal data against any form of accidental, unlawful, or unauthorized processing. These measures include (i) physical access controls to prevent unauthorized persons from gaining access to the data processing systems available at premises and facilities, (ii) implementation of our Incident Response Policy to ensure quick and effective response to security incidents, (iii) regular internal and external ISO 27001 audits, and (iv) access controls based on strong authentication and least privilege principle. For more information, please see Annex 3 of our DPA.
In addition to entering into a DPA with our customers, WatchGuard takes all steps necessary to ensure our agreements with our third-party vendors (including our service providers) contain appropriate commitments regarding the processing of personal data outside Europe and satisfy the requirements of applicable data protection law. We have also executed an inter-group data transfer agreement incorporating the SCCs and strong commitments from each entity processing customer data with all WatchGuard entities.
Which recent laws provide adequate safeguards for data transfers to the U.S.?
In October 2022, President Biden issued Executive Order 14086 ("EO 14086") to introduce new safeguards for U.S. signals intelligence activities. EO 14086 was designed to address the concerns raised by the Schrems II ruling and serves as the basis of the DPF adequacy decision. Firstly, it places new requirements on the collection and handling of personal data by U.S. intelligence agencies, requiring that signals intelligence activities be "necessary" and "proportionate" and expanding the oversight of signals intelligence activities and bulk data collection to tighter controls. Secondly, it creates a new redress mechanism for European individuals who claim their personal data was collected unlawfully through U.S. signals intelligence programs, including the opportunity for review by the Data Protection Review Court within the Department of Justice.
The EDPB has confirmed that the safeguards enacted through EO 14086 are not limited to transfers made through the DPF and data exporters (i.e., our customers) should take into account the safeguards under EO 14086 when assessing the effectiveness of both the DPF and the SCCs.
What is WatchGuard's practical experience dealing with government access requests?
Customers should note that, to date, WatchGuard has never received any government agency requests for access to personal data from Europe under US surveillance laws and has not, therefore, published any related information.
Contact Us
If you have any further questions about our data transfers compliance, please email your WatchGuard Sales representative or [email protected].