Skip to main content
Code42 Support

Code42 and GDPR compliance

Overview

The General Data Protection Regulation (GDPR) is a regulation enacted to strengthen data privacy for all individuals within the European Union (EU). All organizations that process personal data of individuals in the EU are required to comply with GDPR.

Code42 users have substantial amounts of business-critical data on their devices, often including personal data. Code42 will comply with its requirements under GDPR. In addition, Code42's product features can help your organization comply with its own compliance obligations under GDPR.

This article describes:

Considerations

  • GDPR is effective as of 25 May 2018.
  • The rights under GDPR apply and are limited to any individual that is in the EU, regardless of that individual's residency or citizenship. This means that GDPR's provisions protect non-EU citizens who are located within the EU, but they do not extend to an EU citizen living outside of the EU. 
  • GDPR applies to both EU and non-EU companies if they process personal data about EU individuals. 
  • Not all organizations include endpoints in their GDPR compliance strategy.
Data Processing Addendum (DPA)
Code42's Master Services Agreement incorporates a Data Processing Addendum (DPA) that provides contractual commitments Code42 customers need to meet their GDPR requirements.
  • For Code42 for Enterprise customers who have renewed their subscriptions after July 15, 2017, and for all CrashPlan for Small Business customers, the DPA applies automatically under your Master Services Agreement.
  • For other Code42 for Enterprise customers, Code42 has created a retroactive version of the DPA that can be entered into upon request.

Code42's compliance with GDPR

GDPR sets forth baseline data-protection requirements for organizations that process and move the personal data of individuals in the EU. Organizations subject to GDPR must ensure that any service providers, such as Code42, that process personal information of EU individuals, meet specific requirements.

Code42 will comply with its requirements under GDPR. As part of our compliance, Code42:

  • Implements technical and organizational measures to ensure personal data is protected.
  • Provides timely data-breach notifications to customers.
  • Transfers personal data outside the EU only if there is a lawful transfer mechanism in place with the organization receiving the data. This ensures adequate protection of the personal data being transferred. 

Features to help you comply with GDPR

The following features can help you in your GDPR-compliance strategy. 

The GDPR sections in this article can help you develop a compliance plan, but are not an exhaustive list of things to consider. 

Compliance is your responsibility
Code42 provides features you can use to meet your obligations under GDPR, but Code42 cannot dictate if and how you comply. It is your responsibility to develop the plan, methods, and procedures you will follow to be in compliance with GDPR.

Data protection and recovery features

The following Code42 features enable data protection and recovery.

Relevant GDPR information
 • Article 5: "Principles relating to processing of personal data"
 • Article 25: "Data protection by design and by default"
 • Article 32: "Security of processing"

Protect data from loss

Every file in user directories on all devices are backed up every 15 minutes (Code42 for Enterprise) or 30 minutes (CrashPlan for Small Business) by default per file retention settings, allowing for robust data recovery.

Keep data secure

All data transferred to Code42 is encrypted at rest and in transit and is not processed by Code42 for any purpose other than as agreed upon for the provision of our products and services. 

Recover data

Code42 allows users to recover their files in the event of data loss arising from events such as a stolen device or ransomware.

Data viewing features

The following Code42 features provide your compliance officer with information about the data retained and allow your organization to comply with reporting requirements in the event of a data breach.

Relevant GDPR information
 • Article 35: "Data protection impact assessment"
 • Article 33: "Notification of a personal data breach to the supervisory authority"
 • Article 34: "Communication of a personal data breach to the data subject"

See data on devices

Because files on user devices are retained in archives, an administrator can download files from the archives and examine them with forensic tools as part of compliance efforts.

Monitor data flow

Monitor for high-risk behavior by configuring Security Center alerts and messages for high-risk data transfers to removable media and cloud storage.

Report on data breaches

Use Code42's reporting features as part of your analysis and required reporting in the event of data breaches. 

Features to assist with "right to be forgotten" requests

A provision of GDPR is the "right to be forgotten." If you receive requests from individuals who want their personal data "to be forgotten," you should be able to identify those individuals' personal data in your system, verify whether or not proper consent was obtained to collect the data, and be able to remove the data from any backups.

Keep in mind that:

  • EU individuals may have a "right to be forgotten" by any company that has their personal data, including companies outside of the EU. 
  • Companies that have EU personal data should be prepared to respond to a request of disclosure of stored personal data, and possible deletion of that data, within 30 days. 
Relevant GDPR information
Article 17: "Right to erasure (‘right to be forgotten’)"

Exclude files from backup 

An administrator can exclude files from backup that contain personal data. Excluded files are removed from backup archives the next time archive maintenance is run.

Allow users to remove their files from backups

Under GDPR, users own their personal information and can choose whether that information should be removed from Code42 backups. Code42 app users can delete files containing personal data from their backup archives if a Code42 administrator allows it and does not lock backup settings.

Additional resources

  • Was this article helpful?