General Data Protection Regulation (GDPR) FAQ

This document addresses frequently asked questions with regards to Citrix End User License Agreements and End User Services Agreements, Citrix Data Processing Addendum, the EU Standard Contractual Clauses (SCCs), and general questions about the GDPR.

We include security and data protection terms in our End User License Agreements (EULA) and End User Services Agreements (EUSA). These terms include a detailed description of the security controls used across Citrix’s services, as well as data processing terms that align to the applicable sections of the GDPR, and EU Standard Contractual Clauses (including June 4, 2021 revisions). These terms will apply to any future purchase or product update – you do not need to do anything further to comply with the GDPR’s requirement to ensure that your organisation’s personal data is processed under a data processing agreement.

The Citrix terms are designed to address the requirements of Article 28 of the GDPR, which requires data processing activities to be governed by a contract, and to provide more specific information about how Citrix secures its Services.

The GDPR is the biggest update of European data protection law since 1995, providing greater protection for personal information of individuals.

The GDPR applies if your organisation is based in the EU or if it processes the personal data of individuals in the EU to offer products or services. This means that the GDPR will apply to practically all companies doing business in the EU.

Any kind of information that can be used to identify an individual, e.g. a phone number, a mail address, or an IP address.

Collecting, storing, using and pretty much anything else you can do with personal data.

Organisations must implement appropriate policies and security measures, report data breaches to authorities (and, in certain circumstances, affected individuals), conduct privacy impact assessments, keep records on data activities and enter into data processing agreements with data processors.

The GDPR is based on the Data Privacy Directive; however, it also strengthens existing laws in certain respects, including breach notification, has higher fines for non-compliance and data loss, and individual control on how personal data is handled.

Fines can be up to 20 million Euros or 4 percent of an organisation’s worldwide revenue, whatever is higher.

There is no quick fix to compliance. As a start (if you haven’t done so already), you should determine how GDPR applies to your organisation and the way it uses EU personal data. You may need to sign data processing agreements with your data processors, and you should look carefully at the security of your computing systems and data processing operations. 

If your organisation is responsible for collecting data and determining how it is processed (a “data controller”), GDPR requires that you enter into an agreement with anyone who handles data on your behalf (“data processors”). A data processing agreement is an agreement between a data controller and a data processor setting out how they will both meet the requirements of the GDPR. Citrix provides a Data Processing Addendum (DPA) for this purpose

That depends on how your organisation works with Citrix. If you obtain services (such as Citrix cloud services) and Citrix holds your personal data within those services, then Citrix is a data processor.

This Citrix Data Processing Addendum (DPA) is part of the Citrix EULA, EUSA or services agreement applicable to the Services (“Agreement”) and does not require execution.  The Citrix EU Standard Contractual Clauses, however, may be executed at your option.

EU law regulates the transfer of EU personal data to countries outside the European Economic Area (EEA) (EU countries + Iceland, Liechtenstein, and Norway). The EU has provided a set of model contract clauses (non-negotiable terms set out by the European Union), which can be incorporated into agreements between data controllers and processors established outside the EU or EEA to ensure that any personal data leaving the EEA will be transferred in compliance with EU law, including GDPR.

Yes, the appropriate SCCs are incorporated by reference in the DPA for applicable international transfers. Specifically, the DPA states that for countries that have adopted the use of the new 2021/914/EU SCCs, those SCCs apply. For countries that currently accept the 2010/87/EU SCCs but have not approved the use of the new 2021/924/EU SCCs, the 2010/87/EU SCCs apply.

For customers who would like to also formally execute SCCs, executable versions are available by following a few simple steps:

  • Go to and Sign In to your Citrix My Account
  • Click “View EU Standard Contractual Clauses” on the left side
  • Select the SCC or SCCs that apply to you and click “New Agreement” to complete the SCCs that apply to your business (Please be patient while we update this process to accommodate the new 2021 versions. We expect this to be available the week of September 20, 2021.)

Podio, RightSignature, and Citrix Content Collaboration customers who are not using the Citrix Content Collaboration Enterprise Edition or have not also bought any Citrix Enterprise product may not have a My Citrix Account.  

But you can also easily set up a My Account on This makes the Standard Contractual Clauses available to you and offers many other advantages related to Citrix products and services.

For information about Schrems II and Citrix Services click here.

For information about Brexit and Citrix Services, please refer to this document.

This FAQ and the links within provide a general overview of the EU General Data Protection Regulation (GDPR). It is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that customers or channel partners are in compliance with any law or regulation.

Customers and channel partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and channel partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.