>
Legal
>
Other Agreements, Policies and Addenda

Absolute Secure Access General Data Protection Regulation (GDPR) & Personal Data

View PDF

Frequently Asked Questions

This FAQ briefly describes the steps Absolute takes with its Secure Access solution in accordance with the EU GDPR in the EU, and with the UK GDPR in the UK (collectively, the “GDPR”). The FAQ also provides insight into the features you may want to leverage when considering your own company’s compliance.

What is the GDPR?

The General Data Protection Regulation is a European Union (“EU”) regulation (Regulation (EU) 2016/679), implemented in the UK through the UK GDPR and the UK Data Protection Act 2018, that strengthens the data protection rights of individuals in the EU/UK and in the European Economic Area (“EEA”). It also regulates transferring Personal Data outside the EU/UK. The GDPR’s primary purpose is to give individuals control over their Personal Data and to simplify the regulatory environment for international business in the EU/UK.

When does the GDPR apply?

The GDPR applies to companies processing Personal Data in the context of the activities of an EU/UK establishment, or to companies offering goods or services to individuals located in the EU/UK.

Absolute Security is based in the US, but we may collect Personal Data of EU/UK individuals when offering goods or services to individuals located in the EU/UK.

Is Absolute a GDPR controller or processor?

In the GDPR, a data controller is the entity that determines the purposes (i.e. why) and means (i.e. how) the Personal Data is being processed.

  • For Absolute Secure Access SaaS and on-premises, the customer is the data controller.

In the GDPR, a data processor processes Personal Data on behalf of the data controller.

  • For Absolute Secure Access SaaS, Absolute is a data processor.
  • For Absolute Secure Access on-premises, the customer is the data processor.

What is meant by data processing?

Examples of processing Personal Data include activities like hosting, encrypting, decrypting, examining, modifying, storing, retrieving, destroying, deleting or erasing Personal Data. This list is exemplary but not comprehensive. These activities can be manual, automated or semi-automated.

What "personal data" does Absolute Secure Access collect?

Under the GDPR, “Personal Data” means any information that relates to an identified or identifiable individual. This includes direct identifiers such as a name and contact details, but also indirect identifiers such as IP addresses, cookies and location data.

The customer, as the data controller, determines and configures the exact data categories that Absolute Secure Access collects. These include, but are not limited, to the following:

  • User name
  • Device authentication ID
  • User group
  • Integrated circuit card identifier (ICCID)
  • Device name
  • Point of Presence (POP) address
  • Device group
  • Mobile router adapter ID
  • Phone number
  • Mobile router local link ID
  • Location - latitude & longitude
  • Linked mobile router ID
  • IP addresses
  • Adapter ID
  • MAC address
  • SSID
  • Device Permanent Identification number (PID)
  • Wi-Fi BSSID
  • Electronic Serial Number (ESN)
  • Cell tower ID
  • International Mobile Equipment Identity (IMEI)
  • Diagnostic report contents
  • International Mobile Subscriber Identity (IMSI)
  • Bandwidth test memo
  • Mobile Equipment Identity (MEID)
  • Custom tags

A single data element, such as User Group, may not necessarily expose an individual’s identity. However, when combined with other data elements (e.g., SSID, Cell Tower ID, etc.), an individual’s identity could be determined.

Do I have a legal basis to use the Absolute Secure Access solution?

The GDPR provides different legal bases on which our customers, as data controllers, can rely to process Personal Data. It is up to the customer to determine the appropriate legal basis each time, however the GDPR does recognize a company’s “legitimate interest” as a legal basis for processing Personal Data related to critical systems that secure the company, its networks, and systems.

In particular, GDPR’s Recital 49 titled “Network and information security as overriding legitimate interest” outlines example exceptions that relate directly to Absolute Secure Access, such as preventing unauthorized access to networks, blocking malicious code distribution, and preventing DDoS attacks.  Other GDPR recitals discuss the need for maintaining network and data availability.

How can I request access to my users' personal data?

Absolute Secure Access customer administrators with console access and designated permissions have control and access to their users’ Personal Data. Personal Data is only retained in the system for up to 90 days, after which point the data is automatically deleted.

For on-premises deployment, Absolute does not have access to any of your company’s Personal Data stored in Secure Access or Insights for Network.

Absolute Secure Access SaaS customers have access to their users’ Personal Data for the duration of their subscription, subject to the maximum 90-day retention at any given time. The information is only available to personnel authorized to access management consoles for Secure Access and for Insights for Network.

After a customer’s SaaS subscription ends, the customer’s authorized account administrator may contact Absolute Security to request a copy of their company’s data up to 90 days after the subscription expires. Ninety days after a customer’s SaaS subscription expires, all data is destroyed.

Does the GDPR require EU/UK personal data to stay in the EU/UK?

The GDPR permits EU/UK data transfers to countries outside the EU/UK subject to certain safeguards, such as the use of Standard Contractual Clauses. Absolute’s Data Processing Agreement incorporates Standard Contractual Clauses by reference.

What steps has Absolute taken to offer Secure Access in the EU/UK?

Absolute has taken several steps to offer Secure Access in the EU/UK, including:

  • Data Processing Addendum. Absolute Security has adopted and maintains a Data Processing Addendum as part of the Secure Access SaaS Master Subscription Agreement. In addition, we ask our sub-processors who are processing Personal Data on our behalf or on behalf of our customers to sign a GDPR Data Processing Agreement.
  • Cross-border data transfers. Absolute’s Data Processing Agreement incorporates the EU Standard Contractual Clauses and the UK Addendum to the EU Standard Contractual Clauses to effectuate data transfers to third countries, such as the US.
  • Privacy and Cookie Policy. We maintain a Privacy and Cookie Policy that describes our processing operations, and data collection practices, which you can access here: https://www.absolute.com/company/legal/privacy/
  • Information security measures. Absolute maintains various information security measures when handling Personal Data. Secure Access SaaS customers can select the physical regions(s) where their Secure Access and Insights for Network SaaS services and data will reside within. Additionally, Absolute applies data segregations since each Secure Access SaaS customer is treated as a single tenant with all data isolated from other Absolute Secure Access customers and only accessible by the customers’ authorized administrators. Role Based Access Controls allow the customer’s administrators to configure who has access to the Secure Access Console, as well as which Insights for Network dashboards, users and devices can be viewed by end-users.

This page is provided for informational purposes only, and does not cover data processing practices for non-EU/UK Personal Data. This page is not intended to provide legal advice. For up-to-date information about Absolute’s data protection practices, please regularly consult Absolute’s privacy policy located at Privacy and Cookie Policy. Please seek appropriate legal advice regarding your company’s own obligations under the GDPR.