General Data Protection Regulation (GDPR) FAQ

This document addresses frequently asked questions with regards to the updates Citrix made in the End User License Agreements and End User Services Agreements, and the Data Processing Addendum available in the Citrix My Account, and general questions about the GDPR.

We include security and data protection terms in our End User License Agreements (EULA) and End User Services Agreements (EUSA). The updated terms include a detailed description of the security controls used across Citrix’s services, as well as data processing terms that align to the applicable sections of the GDPR, and EU Standard Contractual Clauses. These terms will apply to any future purchase or product update – you do not need to do anything further to comply with the GDPR’s requirement to ensure that your organisation’s personal data is processed under a data processing agreement.

The Citrix terms are designed to address the requirements of Article 28 of the GDPR, which requires data processing activities to be governed by a contract, and to provide more specific information about how Citrix secures its Services.

The GDPR is the biggest update of European data protection law since 1995, providing greater protection for personal information of individuals.

The GDPR applies if your organisation is based in the EU or if it processes the personal data of individuals in the EU to offer products or services. This means that the GDPR will apply to practically all companies doing business in the EU.

Any kind of information that can be used to identify an individual, e.g. a phone number, a mail address, or an IP address.

Collecting, storing, using and pretty much anything else you can do with personal data.

The GDPR became effective on 25 May 2018.

Organisations must implement appropriate policies and security measures, report data breaches to authorities (and, in certain circumstances, affected individuals), conduct privacy impact assessments, keep records on data activities and enter into data processing agreements with data processors.

The GDPR is based on the Data Privacy Directive; however, it also strengthens existing laws in certain respects, including breach notification, has higher fines for non-compliance and data loss, and individual control on how personal data is handled.

Fines can be up to 20 million Euros or 4 percent of an organisation’s worldwide revenue, whatever is higher.

There is no quick fix to compliance. As a start (if you haven’t done so already), you should determine how GDPR applies to your organisation and the way it uses EU personal data. You may need to sign data processing agreements with your data processors, and you should look carefully at the security of your computing systems and data processing operations. Citrix’s GDPR Resource Kit may be a helpful for your GDPR readiness efforts.

If your organisation is responsible for collecting data and determining how it is processed (a “data controller”), GDPR requires that you enter into an agreement with anyone who handles data on your behalf (“data processors”). A data processing agreement is an agreement between a data controller and a data processor setting out how they will both meet the requirements of the GDPR. Citrix provides a Data Processing Addendum (DPA) for this purpose

That depends on how your organisation works with Citrix. If you obtain Services (such as Citrix Cloud Services) and Citrix holds your personal data within those Services, then Citrix is a data processor.

This Citrix Data Processing Addendum (DPA) is part of the Citrix EULA, EUSA or services agreement applicable to the Services (“Agreement”) and does not require execution.  The Citrix EU Standard Contractual Clauses, however, may be executed at your option.

EU law regulates the transfer of EU personal data to countries outside the European Economic Area (EEA) (EU countries + Iceland, Liechtenstein, and Norway). The EU has provided a set of model contract clauses (non-negotiable terms set out by the European Union), which can be incorporated into agreements between data controllers and processors established outside the EU or EEA to ensure that any personal data leaving the EEA will be transferred in compliance with EU law, including GDPR.

Yes, the EU Standard Contractual Clauses are incorporated by reference for applicable international transfers. For customers who would like to also formally execute SCCs, an executable version is available by following a few simple steps:

  • Go to Citrix.com and Sign In to your Citrix My Account
  • Click “View Standard Contractual Clauses” on the left side
  • Click “Accept” to complete the SCCs electronically

Podio, RightSignature, and Citrix Content Collaboration customers who are not using the Citrix Content Collaboration Enterprise Edition or have not also bought any Citrix Enterprise product may not have a My Citrix Account.  

But you can also easily set up a My Account on www.citrix.com. This makes the Data Processing Addendum available to you and offers many other advantages related to Citrix products and services.

The UK will not have completed their withdrawal from the EU when the GDPR goes into effect, therefore the GDPR will still apply to the UK. If companies in the UK process data of EU residents, they will always fall under the GDPR, no matter if the UK is a member of the EU or not.

This FAQ and the links within provide a general overview of the EU General Data Protection Regulation (GDPR). It is not intended as and shall not be construed as legal advice. Citrix does not provide legal, accounting, or auditing advice or represent or warrant that its services or products will ensure that customers or channel partners are in compliance with any law or regulation.

Customers and channel partners are responsible for ensuring their own compliance with relevant laws and regulations, including GDPR. Customers and channel partners are responsible for interpreting themselves and/or obtaining advice of competent legal counsel with regard to any relevant laws and regulations applicable to them that may affect their operations and any actions they may need to take to comply with such laws and regulations.