The General Data Protection Regulation
The European Union General Data Protection Regulation (GDPR) went into effect on May 25, 2018. It largely unified data protection rules across the EU and created new obligations on the protection and handling of personal data, including security requirements and stronger rights for individuals with regard to their personal data.
Security is Fortinet’s business. We are committed to complying with the GDPR and supporting our partners and customers in their efforts to comply with the GDPR. GDPR Article 32 requires companies to take into account the “state of the art” when planning their security.
Fortinet is known as a leading security innovator, with exceptional security solutions, and Fortinet’s industry leading security solutions define the state of the art.
For example, many Fortinet services use automated technology to recognize and defend against cybersecurity threats, such as by blocking or quarantining suspected malicious data. As the industry leader in layered defense, our Security Fabric provides a multifaceted approach to modern-day security.
To better protect our end-customers and assist them with their own security compliance, some Fortinet solutions leverage external threat information gathered in some situations from certain of our end-customers, in order to improve security for a broader set of our end-customers. For example, if certain Fortinet services determine that a hacker is attacking some of our customers, we may use information about that threat in order to help protect other customers from similar attacks. This provides our customers with better protection than would be possible if Fortinet could not learn from experience.
Our own GDPR compliance approach includes the following:
- Data Security: We have put in place physical, electronic, organizational, administrative, and technical procedures and controls to safeguard data and help prevent unauthorized access, to maintain data security, and to use correctly the data we collect. Our data protection efforts utilize our own industry-leading products and services.
- Data Awareness: We maintain records of our data processing activities, which form the foundation for our data protection compliance.
- Data Deletion and Retention: We retain your information for the period necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted.
- Data Subject Rights: We have established data subject rights procedures designed to ensure that we provide reasonable and appropriate support for our customers’ responses to individuals’ requests to exercise their rights under the GDPR.
- Controller and Processor Obligations: For certain Fortinet services, Fortinet acts as a “processor” of our customers’ personal data. In other instances, Fortinet acts as a “controller.” Where Fortinet acts as a “processor,” Fortinet can make available a data processing agreement available upon request.
- Transparency: Our Privacy Policy at https://www.fortinet.com/corporate/about-us/privacy helps ensure compliance with GDPR notice requirements and helps enhance our transparency to our customers and their users.
- Vendor Management: We understand the importance of scrutinizing vendors who help us serve our partners and customers. We assess vendors before we engage them, and we ensure certain vendors agree to certain GDPR-related contractual terms before they can process our partners’ and customers’ information.
- Channel Partner Data: The data that we collect from our channel partners are used for legitimate business purposes only.
- Data Transfers: We comply with legal requirements for cross-border data protection, including through the use of European Commission-approved Standard Contractual Clauses. We offer a variety of safeguards to our customers for their transfers of data to us.
- If you have any questions regarding our GDPR efforts, please reach out to us at privacy@fortinet.com.
