The General Data Protection Regulation (GDPR) is a European Union law that applies to all organizations, regardless of location, that process the personal data of people in the European Economic Area (EEA; the 27 member states of the EU plus Iceland, Norway, and Liechtenstein) in the context of offering them goods or services or monitoring their behavior. Under the GDPR, organizations are required to identify a legal basis for processing personal data, give notice to individuals on what data is collected and how it will be used, honor requests from individuals to access, correct, or delete information about them, employ appropriate security controls to protect personal data from unauthorized access, notify individuals and authorities of data breaches, appoint a Data Protection Officer, and consider privacy at the beginning of an activity, rather than as an afterthought. The GDPR also restricts the transfer of personal data out of the EEA unless safeguards are in place to ensure essentially equivalent protection in the receiving jurisdiction.
F5 complies with the GDPR, as detailed in our Privacy Notice. F5 operates services as a processor to its Distributed Cloud Platform customers who are controllers (or as a subprocessor to a customer who is a processor). Accordingly, F5 complies with Article 28 for each of our Distributed Cloud offerings. F5 is a participant in the EU-US Data Privacy Framework, which the European Commission has determined provides adequate protection for transfers to participating companies in the United States, and utilizes the Standard Contractual Clauses to protect personal data transferred to global SOC locations for purposes of support. Furthermore, F5 has a robust privacy and security program to ensure customers can meet their obligations under the GDPR. Contact a sales representative to request a copy of F5’s annually issued SOC 2 Type II report, which is available under NDA and includes a table mapping its controls to requirements under the GDPR.
