GDPR Compliance with Wasabi

Organizations subject to the GDPR can use Wasabi to store and maintain personal data.

Chapter 1

Executive Overview

Wasabi is an affordable and fast cloud storage service. Businesses and institutions use Wasabi hot cloud storage for a variety of purposes including primary storage for application data and content, secondary storage for backup or disaster recovery, and archival storage for long-term data and record retention.

The EU General Data Protection Regulation (GDPR), which took effect in May 2018, imposes strict requirements on how personal data is managed and protected. Organizations who are subject to the GDPR can use Wasabi to store and maintain personal data. Wasabi uses security best practices and technologies to ensure the physical security of its facilities and to maintain the privacy and integrity of personal data. In addition, Wasabi’s Terms of Use Agreement ensures Wasabi customers (“data controllers” under the GDPR) maintain exclusive ownership of electronic records as required by GDPR.

This white paper provides a brief overview of the use of the Wasabi service in light of the GDPR.

Chapter 2

GDPR was enacted in 2016 to strengthen and unify data protection for individuals within the European Union. The mandate is intended to provide citizens greater control over their personal data and to improve the flow of personal data within the EU. GDPR also regulates the export of personal data outside the EU (but does not require that personal data be stored within the EU).

GDPR went into effect on May 25, 2018, supplanting the existing European Data Protection Directive (95/46/EC Directive). The new regulation applies to any organization that has a presence in the EU or that offers goods or services in the EU.

Important GDPR terminology includes:

  • Data controller – an organization that collects or provides data regarding EU residents (e.g. a Wasabi customer)
  • Data processor – an organization that processes data on behalf of a data controller (e.g. a cloud provider such as Wasabi)
  • Data subject – a person living in the European Union
  • Personal data – any personally identifiable information relating to a data subject (e.g. name, identification number, location data, online identity)
Chapter 3

GDPR imposes strict data privacy and security rules for both data controllers and data processors. The mandate requires appropriate safeguards to protect the privacy of personal data, and defines consent rules for disclosing personal data. GDPR also grants individuals the right to examine, amend, correct and delete personal records.

Key GDPR data privacy and security provisions include:

  • Articles 15, 16 and 17 – rights of access, rectification and erasure – give data subjects tight control over their personal data
  • Articles 20 – rights to data portability – grants individuals the right to transfer personal data from one electronic processing system to another
  • Article 25 – data protection by design and default – requires data controllers to implement appropriate technical and organizational measures to safeguard personal data
  • Article 32 – security of processing – requires the “pseudonymization” and encryption of personal data
  • Articles 33 and 34 – notice of a personal data breach – requires data controllers to notify supervisory authorities and data subjects of personal data leakage
Get the full paper as an easy-to-reference PDF