General Data Protection Regulation (GDPR) FAQ
This document addresses frequently asked questions with regards to the updates Citrix made in the End User License Agreements and End User Services Agreements, and the new Online Data Processing Agreement available in the Citrix My Account, and general questions about the GDPR.
We have updated our security and data protection terms and included them in our End User License Agreements (EULA) and End User Services Agreements (EUSA). The updated terms include a detailed description of the security controls used across Citrix’s services, as well as data processing terms that align to the applicable sections of the GDPR, and EU Standard Contractual Clauses. These terms will apply to any future purchase or product update – you do not need to do anything further to comply with the GDPR’s requirement to ensure that your organisation’s personal data is processed under a data processing agreement.
EULA or EUSA
Data Processing Terms
European Union General Data Protection Regulation Terms (“GDPR Terms”)
Exhibit 1 - EU Model Clauses
EU Commission Standard Contractual clauses for the transfer of personal data to processors established in third countries
Exhibit 2 - Security Exhibit
Description of the technical and organizational security measures implemented
The Citrix terms are designed to address the requirements of Article 28 of the GDPR, which requires data processing activities to be governed by a contract, and to provide more specific information about how Citrix secures its Services.
The GDPR is the biggest update of European data protection law since 1995, providing greater protection for personal information of individuals.
The GDPR applies if your organisation is based in the EU or if it processes the personal data of individuals in the EU to offer products or services. This means that the GDPR will apply to practically all companies doing business in the EU.
Any kind of information that can be used to identify an individual, e.g. a phone number, a mail address, or an IP address.
Collecting, storing, using and pretty much anything else you can do with personal data.
The GDPR becomes effective on 25 May 2018.
Organisations must implement appropriate policies and security measures, report data breaches to authorities (and, in certain circumstances, affected individuals), conduct privacy impact assessments, keep records on data activities and enter into data processing agreements with data processors.
The GDPR is based on the Data Privacy Directive; however, it also strengthens existing laws in certain respects, including breach notification, has higher fines for non-compliance and data loss, and individual control on how personal data is handled.
Fines can be up to 20 million Euros or 4 percent of an organisation’s worldwide revenue, whatever is higher.
There is no quick fix to compliance. As a start (if you haven’t done so already), you should determine how GDPR applies to your organisation and the way it uses EU personal data. You may need to sign data processing agreements with your data processors, and you should look carefully at the security of your computing systems and data processing operations. Citrix’s GDPR Resource Kit may be a helpful for your GDPR readiness efforts.
If your organisation is responsible for collecting data and determining how it is processed (a “data controller”), GDPR requires that you enter into an agreement with anyone who handles data on your behalf (“data processors”). A data processing agreement is an agreement between a data controller and a data processor setting out how they will both meet the requirements of the GDPR.
That depends on how your organisation works with Citrix. If you obtain Services (such as Citrix Cloud Services) and Citrix holds your personal data within those Services, then Citrix is a data processor.
"Processor" signed DPA
Citrix's partners and vendors
"Sub-processor" sign DPA
Citrix offers an Online Data Processing Agreement. This can be done in a fast, simple and reliable process that will be familiar to most of our customers from our Online NDA. In order to complete a Data Processing Agreement:
- Go to Citrix.com and Sign In to your Citrix My Account,
- Click “View Data Processing Agreement” on the left side, and
- Accept the Online Data Processing Agreement electronically.
Podio, RightSignature, and Citrix Content Collaboration customers who are not using the Citrix Content Collaboration Enterprise Edition or have not also bought any Citrix Enterprise product may not have a My Citrix Account.
The Data Processing Agreement terms are incorporated into the EUSA of your product and will be shown to you the first time the account owner or master administrator signs in to the Service. No further action is required from your side.
But you can also easily set up a My Account on www.citrix.com. This makes the Online Data Processing Agreement available to you and offers many other advantages related to Citrix products and services.
Alternatively, if you require a copy of a Data Processing Agreement, you can request it here.
EU law regulates the transfer of EU personal data to countries outside the European Economic Area (EEA) (EU countries + Iceland, Liechtenstein, and Norway). The EU has provided a set of model contract clauses (non-negotiable terms set out by the European Union), which can be incorporated into agreements between data controllers and processors established outside the EU or EEA to ensure that any personal data leaving the EEA will be transferred in compliance with EU law, including GDPR.
Yes. The GDPR terms in the EULA / EUSA as well as the Online DPA already include the Standard Contractual Clauses, which are pre-signed by Citrix and may not be changed.
The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the GDPR will still apply to the UK. If companies in the UK process data of EU residents, they will always fall under the GDPR, no matter if the UK is a member of the EU or not.
This FAQ and the links within provide a general overview of the EU General Data Protection Regulation (GDPR). It is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that customers or channel partners are in compliance with any law or regulation.
Customers and channel partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and channel partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.