General Data Protection Regulation (GDPR)

Effective May 25, 2018, the General Data Protection Regulation (GDPR) is a significant change to European Union (EU) privacy law. The regulation prioritizes an individual’s right to control their personal information. It imposes new rules on companies, government agencies, non-profits, and other organizations outside the European Union that process personal data related to the offering of goods and services to people in the European Union (EU), or that monitor the behavior of EU citizens within the European Union.

Esri is committed to compliance with the GDPR by providing privacy protection to all our customers.

Esri is both a controller and processor of personal information, and that information is stored in the United States. We control the personal information of those with whom we directly interact. Examples of this are users who create Esri Accounts or fill out a form on our website. We are a processor of personal information for other controller organizations (i.e., our customers) who have entrusted us with processing personal information that they control. Examples of this are ArcGIS Online, data that is uploaded as part of a technical support case, and contact information provided to us for a customer organization.

The GDPR details six legal bases that allow controllers (like Esri) to process personal information. They are: contractual necessity, legal obligation, vital interests, public interest, legitimate interest, and consent. Most of the work we do with customers is classified as contractual necessity or legitimate interest. In other cases (e.g., web browsing tracking, marketing), we obtain direct consent before collecting any personal information.

Esri is committed to protecting your personal information from any attacks or data breaches. We have implemented appropriate security controls throughout our business systems. In the unlikely event of data breach, we will honor the GDPR requirements for notification.

Esri has created a Data Processing Addendum that sets the conditions related to privacy, confidentiality, and security of EU personal data associated with online services and maintenance we provide to customers under a master agreement, customer's current license agreement with Esri, or the then current click through agreement. You may download, countersign and retain a copy of the Data Processing Addendum for your records; you do not need to return a copy to Esri.

Additional languages available:

• Data Processing Addendum (French)
• Data Processing Addendum (German)
• Data Processing Addendum (Greek)
  
• Data Processing Addendum (Polish)
• Data Processing Addendum (Portuguese Brazilian)
• Data Processing Addendum (Portuguese European)
• Data Processing Addendum (Spanish)

Esri has appointed a Data Protection Officer (DPO) and an EU Representative. They can be reached as indicated below.

Esri's Data Protection Officer: Ksenia Turk
Address: 380 New York St., Redlands, CA 92373
Telephone: +1 909 793 2853
Email: privacy@esri.com

Esri's EU Representative: nFrames GmbH, Esri R&D Center Stuttgart
Address: Kornbergstraße 36, 70176 Stuttgart, Germany
Telephone: +49 711 997 887 28
Email: dataprivacyeurope@esri.com

If you have any questions or concerns regarding privacy issues or the GDPR, please contact privacy@esri.com.