European Union General Data Protection Regulation
Effective May 25, 2018, the General Data Protection Regulation (GDPR) is a significant change to European Union (EU) privacy law. The regulation prioritizes an individual’s right to control their personal information. It imposes new rules on companies, government agencies, non-profits, and other organizations outside the European Union that process personal data related to the offering of goods and services to people in the European Union (EU), or that monitor the behavior of EU citizens within the European Union.
Esri is committed to compliance with the GDPR by providing privacy protection to all our customers.
How GDPR applies to Esri
Esri is both a controller and processor of personal information, and that information is stored in the United States. We control the personal information of those with whom we directly interact. Examples of this are users who create Esri Accounts or fill out a form on our website. We are a processor of personal information for other controller organizations (i.e., our customers) who have entrusted us with processing personal information that they control. Examples of this are ArcGIS Online, data that is uploaded as part of a technical support case, and contact information provided to us for a customer organization.
The GDPR details six legal bases that allow controllers (like Esri) to process personal information. They are: contractual necessity, legal obligation, vital interests, public interest, legitimate interest, and consent. Most of the work we do with customers is classified as contractual necessity or legitimate interest. In other cases (e.g., web browsing tracking, marketing), we obtain direct consent before collecting any personal information.
How Esri is taking action
Esri is committed to protecting your personal information from any attacks or data breaches. We have implemented appropriate security controls throughout our business systems. In the unlikely event of data breach, we will honor the GDPR requirements for notification.
Esri has created a Data Processing Addendum that sets the conditions related to privacy, confidentiality, and security of EU personal data associated with online services and maintenance we provide to customers under a master agreement, customer's current license agreement with Esri, or the then current click through agreement. You may download, countersign and retain a copy of the Data Processing Addendum [PDF] for your records; you do not need to return a copy to Esri.
If you have any questions or concerns regarding privacy issues or the GDPR, please contact firstname.lastname@example.org.
Privacy and security are built into Esri’s products and services. The Trust Center website contains the assurance information you are looking for concerning the security, privacy, and compliance of the ArcGIS platform.