Esri is committed to compliance with the European privacy law, the General Data Protection Regulation (GDPR) which went into enforcement May 2018. The GDPR imposes new rules on companies, government agencies, non-profits, and other organizations outside the European Union that process personal data related to the offering of goods and services to people in the European Union (EU), or that monitor the behavior of EU citizens within the European Union.
How GDPR Applies to ArcGIS
Esri is a processor of personal information for other controller organizations (i.e., our customers) who have entrusted us with processing personal information that they control. Examples of this are ArcGIS Online, data that is uploaded as part of a technical support case, and contact information provided to us for a customer organization.
How Esri is Taking Action
- DPA commitments—Esri has created a Data Processing Addendum (DPA) that sets the conditions related to privacy, confidentiality, and security of EU personal data associated with online services and maintenance we provide to customers under a master agreement, customer's current license agreement with Esri, or the then current click through agreement. After Privacy Shield was declared inadequate assurance in 2020, Esri added the EU Standard Contractual Clauses (SCC's) to our DPA. More recently, in 2021, we added supplementary measures to our DPA for assurance in alignment with recent EU guidelines.
- Cookies and Consent—Esri avoids using "Targeting" cookies to facilitate marketing/sales processes when utilizing customer paid-for products.
- Data retention—ArcGIS Online users are not required to store personal data within the application and the datasets they upload into ArcGIS Online can be deleted by the customer at any time. Customer datasets stored within ArcGIS Online organizations are deleted within 60 days of service termination. Customers can request deleting their datasets before this timeframe if necessary. Support datasets are deleted within 90 days of a support incident ending unless otherwise agreed/specified.
- Data location—ArcGIS Online customers working with an Esri distributor in the EU or Asia Pacific regions default to storing their organizational data within the associated EU or Asia Pacific region (Regional datacenter locations specified in the CAIQ). All other ArcGIS Online customer data and metadata for new organizations is restricted to being stored on US Soil by default.
- Encryption—Customer data is encrypted at rest and in transit for ArcGIS Online.
- Privacy experts—Esri is an International Association of Privacy Professionals (IAPP) member, with certified privacy resources within the Esri Software Security & Privacy team to ensure privacy by design practices continue to advance.
Recommended EU customer actions
- Sign Esri's DPA—Customers may download, countersign and retain a copy of the [PDF] for their records and do not need to return a copy to Esri.
- Review ArcGIS privacy best practices—One of the more extensive customer privacy guidance documents Esri has is the 50 page ArcGIS Location Tracking Privacy technical paper. The paper covers high-level architecture guidance, down to individual configuration settings. Numerous other presentations and guides covering privacy can be found in the Trust Center Documents section.
- Validate—Periodically check your deployment against the ArcGIS Security Advisor tool recommendations (blue button at the top of Trust Center). Even more extensive ArcGIS product configuration recommendations are summarized within the Privacy technical paper as a color-coded matrix (Seen below).