General Data Protection Regulation (GDPR) and Data Protection Framework

The General Data Protection Regulation (GDPR) is a European Union law that applies to all organizations, regardless of location, that process the personal data of people in the European Economic Area (EEA; the 27 member states of the EU plus Iceland, Norway, and Liechtenstein) in the context of offering them goods or services or monitoring their behavior. Under the GDPR, organizations are required to identify a legal basis for processing personal data, give notice to individuals on what data is collected and how it will be used, honor requests from individuals to access, correct, or delete information about them, employ appropriate security controls to protect personal data from unauthorized access, notify individuals and authorities of data breaches, appoint a Data Protection Officer, and consider privacy at the beginning of an activity, rather than as an afterthought. The GDPR also restricts the transfer of personal data out of the EEA unless safeguards are in place to ensure essentially equivalent protection in the receiving jurisdiction.

F5 complies with the GDPR, as detailed in our Privacy Notice.  F5 operates  services as a processor to its Distributed Cloud Platform customers who are controllers (or as a subprocessor to a customer who is a processor). Accordingly, F5 complies with Article 28 for each of our Distributed Cloud offerings. F5 is a participant in the EU-US Data Privacy Framework, which the European Commission has determined provides adequate protection for transfers to participating companies in the United States, and utilizes the Standard Contractual Clauses to protect personal data transferred to global SOC locations for purposes of support. Furthermore, F5 has a robust privacy and security program to ensure customers can meet their obligations under the GDPR. Contact a sales representative to request a copy of F5’s annually issued SOC 2 Type II report, which is available under NDA and includes a table mapping its controls to requirements under the GDPR.

FAQ


What personal data does F5 process for its customers?

For many services, F5 acts as a “processor” (not a controller) of the personal data required to provide a service. Details about the personal data that F5 processes are listed on the Privacy Statements for each service. Find all service-specific Privacy Statement links on the introduction of F5’s Privacy Notice at https://www.f5.com/company/policies/privacy-notice.


What specific security measures does F5 provide for personal data?

F5 and its services prioritize the protection of personal data and uphold the highest standards of data privacy.[TJ1] [AC2]  The technical and organizational controls that protect personal data collected by F5 are listed in the specific service contracts (for example, the Service-Specific Terms applicable to services provided under our End User Services Agreement) and in F5's SOC2 Type II report. F5 Global Support is ISO 27001 certified and F5 Distributed Cloud Services are ISO 27001 certified with an extension of ISO 27017 and ISO 27018. F5 is also PCI-DSS Compliant as a Level 1 Service Provider for the F5 Distributed Cloud Services. Additional security certifications apply to specific F5 services and F5 hardware. Find more detailed information about data security practices at https://www.f5.com/company/policies/privacy-notice.


How do F5 and its customers address the requirements of Chapter V of the GDPR and similar requirements under UK and Swiss law regarding personal data transfers to the U.S. and other countries?

Customers whose primary place of business is in Europe, the Middle East, or Africa (collectively, EMEA) receive services through contracts with F5 Networks, Ltd. F5 Networks, which is headquartered in and incorporated under the laws of the United Kingdom, is the center of F5’s EMEA operations. EU and Swiss authorities have recognized that UK laws provide protection for personal data, fully satisfying the requirements of Chapter V GDPR and equivalent Swiss law. 

Customers headquartered in the Asia–Pacific (APAC) region contract with F5 Networks Singapore Pte Ltd. in Singapore. All other customers (including those headquartered in North America) contract with F5, Inc. in the United States. For all F5 services, the Data Protection Addendum (DPA), as supplemented by the Service-Specific Terms, includes the Standard Contractual Clauses and provisions that apply to all legally applicable transfers to F5. These Standard Contractual Clauses are accompanied by the international data transfer addendum published by the UK government for UK transfers, as well as additional language published by the Swiss Federal Data Protection and Information Commissioner for Swiss transfers. For relevant services, F5 also maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.


Is F5 certified to the Data Privacy Framework?

Yes. For relevant services, F5 maintains a certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.


Do the U.S. Foreign Intelligence Surveillance Act (“FISA”) Section 702 and Executive Order (EO) 12333 discussed in the Schrems II decision affect F5?

No. These two U.S. legal provisions, which were the focus of the Schrems II decision, do not affect F5. In any case, due to improvements in U.S. law following the Schrems II decision, the European Commission determined in its Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework that the earlier concerns about those provisions have been resolved. The European Data Protection Board (EDPB) analyzed the European Commission’s decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).

F5 has never received a data access request or any other kind of directive under FISA 702. Many F5 services are not the type of service eligible to be targeted with a FISA 702 directive. Additionally, for almost all customers of F5 services, F5 does not process the type of data that is eligible to be targeted with a FISA 702 directive, which applies to data about the proliferation of weapons of mass destruction, foreign powers’ plans for attacks on the United States, intelligence about the clandestine activities of foreign spies, or other “foreign intelligence information” within the meaning of FISA.

F5 also cannot receive an order to produce customer data under EO 12333 because there is no such thing as an EO 12333 order. EO 12333 allocates certain responsibility within the United States Intelligence Community but does not impose any obligations on the private sector. F5 encrypts data in transit and uses additional security measures to protect against the theoretical interception activities that concerned the Schrems II court prior to the 2023 European Commission adequacy determination discussed above.


How does the U.S. Clarifying Lawful Overseas Use of Data (“CLOUD”) Act of 2018 affect the U.S. government’s ability to demand access to data?

The CLOUD Act did not give the U.S. government new powers to demand data from companies that do business in the United States. The U.S. government does not issue “CLOUD Act orders” and F5 has never received one. The CLOUD Act provided clarification that when the U.S. government follows appropriate existing legal process (such as obtaining an order from a federal district court judge) to direct a company to provide specified data in its possession, custody, or control, the location of the data cannot be the basis for the company’s challenge to the order (though a conflict with the laws in force at such location still may be). The CLOUD Act has been in force since prior to the 2020 Schrems II decision. Subsequent to the Schrems II decision, the United States made various improvements to its rules and practices regarding government access to data. The European Commission then assessed these improvements and determined that U.S. law applicable to U.S. government demands for data now provides an adequate level of protection within the meaning of the GDPR. See Implementing Decision of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-U.S. Data Privacy Framework. The European Data Protection Board (EDPB) analyzed this decision and noted (in its Information note on data transfers under the GDPR to the United States after the adoption of the adequacy decision on 10 July 2023) that “all the safeguards that have been put in place by the U.S. government in the area of national security (including the redress mechanism) apply to all data transferred to the U.S., regardless of the transfer tool used” (meaning, regardless of whether the data is transferred to the United States via the Data Privacy Framework, Standard Contractual Clauses, or another transfer tool).


What is F5’s policy for dealing with governmental demands for government data?

Given the nature of F5’s customer relationships and the limited (and typically encrypted) data F5 handles for customers, such demands are extremely rare. F5’s policy for any demand for customer data is to (i) promptly notify the customer if legally permissible and then cooperate with the customer’s resolution of it or (ii) if customer notification is unlawful, attempt to redirect the requesting authority to the customer. If these efforts do not resolve the matter, F5 would assess the legality of the demand and raise all reasonable challenges to it (such as with an appeal), including whether compliance with the request would violate the GDPR or other relevant laws. During this process, F5 would request suspending the effects of the demand until the competent judicial authority has decided on its merits, including through any appeals process. F5 would not disclose any data in such a situation unless and until required to do so under the applicable procedural rules. If that point were reached, F5 would disclose only the minimum data necessary to comply with what remained of the original demand. 


How can customers make sure the proper cross-border data transfer mechanisms are in place with F5?

Every customer contract for F5’s services (the End User Services Agreement (EUSA)) includes Service-Specific Terms that incorporate and supplement F5’s Data Protection Addendum (DPA), which includes the Standard Contractual Clauses with relevant additional language for transfers subject to UK or Swiss law. In certain cases, the customer and F5 will have a different contract that incorporates these same protections, such as the contract for specific F5 support services. Customers can also refer to https://www.dataprivacyframework.gov/list, which shows that F5 has certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework.


How do F5 and its customers address transfers of personal data subject to UK data protection law?

For transfers to F5 entities in “third countries” including the UK, F5 and its customers rely on the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, which is available on the UK Information Commissioner’s website and is incorporated by reference in F5's DPA for relevant transfers governed by UK law. In addition, for certain services, F5 is certified under the UK Extension to the EU-U.S. Data Privacy Framework.