EU Personal Data Transfers Q&A
European Union (“EU”) data protection law, including the General Data Protection Regulation (“GDPR”), prohibits personal data transfers outside the EU unless an adequate level of data protection is provided, based on appropriate and effective safeguards.
BMC Software (“BMC”) has a long-standing commitment to privacy and personal data protection, on a global scale. In 2015, we became the world's first enterprise IT management provider to apply and get approval from European regulators for our global Data Privacy Binding Corporate Rules (“BCRs”), both as a data Controller and data Processor.
BMC’s Processor BCRs allow our Customers to transfer personal data to BMC in a safe manner in accordance with EU data protection law, to any locations where BMC delivers services. They apply to all EU customer personal data transfers, regardless of where data is transferred to or from.
This Q&A answers key questions about Customer EU personal data transfers in the context of BMC Offerings and Services.
It is provided as of the date of publication of this document and is not to be considered as legal advice.
1. Does BMC transfer Customer EU personal data outside Europe?
Yes, depending on the BMC Offerings and Services. BMC may transfer Customer EU personal data outside Europe according to BMC’s Data Processing Agreement (DPA).
For example, BMC operations located outside Europe may be involved in the resolution of customer support requests, which may include Customer EU personal data. Another example would be where Customer elects a BMC data center outside Europe to host its EU personal data.
Some of the countries in which BMC operates are not regarded by EU data protection law as providing an adequate level of data protection.
2. Does BMC provide an adequate transfer mechanism?
Yes. Where transferring data on behalf of its Customers, BMC relies on its Data Protection Binding Corporate Rules for Processors (BMC BCRs). BCRs are considered to be the platinum standard for compliance in data privacy and personal data protection worldwide.
BMC’s BCRs have been approved by the EU Supervisory Authorities and require all BMC entities, employees and third party providers to comply with EU standards since 2015.
The list of entities bound by the BMC’s BCRs is published on BMC’s BCRs webpage.
BMC’s BCRs are incorporated in BMC’s Data Processing Agreement (DPA). More details on data transfers are included in services agreements and orders, depending on the type of Offering or Services.
BMC updated its BCRs to incorporate GDPR requirements in 2018 and notified its European Lead Supervisory Authority (CNIL) of the changes.
3. Do BMC’s BCRs address data disclosure requests from public authorities?
Yes. In case of a data disclosure requested by a national enforcement authority or agency related to Customer personal data, BMC will comply with Rule 12B of its BCRs, and therefore put the disclosure request on hold, promptly notify its Customer, BMC’s EU Lead Supervisory Authority and the Customer’s Supervisory Authority, unless prohibited from doing so by the requesting authority or agency.
If prohibited from taking these steps by the requesting authority or agency, BMC will diligently inform such authority or agency of its obligations under EU data protection law to obtain the right to waive the prohibition. Where it cannot be waived despite BMC's best efforts, BMC will provide the competent Supervisory Authorities with an annual report providing general information about the received requests for disclosure, to the extent BMC is authorized to do so.
4. Did the “Schrems II” ruling affect the validity of BMC’s BCRs?
No. On July 16, 2020, the European Court of Justice (ECJ) invalidated the Privacy Shield, a transatlantic legal framework for personal data transfers from the EU to the US, and required organizations to implement mechanisms effectively ensuring a level of protection equivalent to the EU (“Schrems II” ruling).
The validity of BMC’s BCRs remains unaffected by the ECJ decision. BMC Customers can rely on BMC’s BCRs as a lawful mechanism to transfer personal data in a safe manner and in accordance with EU data protection law.
BMC is closely following ongoing regulatory developments and will consider any potential amendment to its BCRs as necessary.
5. Has BMC implemented supplementary measures to restrict access to Customer personal data?
Yes. In accordance with the European Data Protection Board’s Recommendations 01/2020 on measures that supplement transfer tools, BMC has implemented supplementary measures to support compliance with EU data protection law and restrict unlawful access to Customer personal data, which include:
- Transparency towards customers in case of a data disclosure request from a public authority, as set out by BMC’s BCRs;
- Challenge unlawful requests to disclose customer data, as set out by BMC’s Data Processing Agreement (DPA);
- Technical measures such as data encryption, with decryption keys exclusively retained by customer, depending on the BMC Offerings and Services used.
More details on BMC Security & Privacy posture can be found on BMC’s Trust Center.
6. Can access to Customer data be limited to certain territories or countries?
Yes, depending on the BMC Offerings and Services. BMC has a broad global distribution of personnel and data center regions allowing a range of options that Customers can use (including encryption options, such as Customer controlled keys) to protect or restrict Customer or BMC access to Customer data for specified locations. BMC internal entities are used for general service operations such as backups, patching and upgrades. In addition, automation is widely used where possible to prevent human effort. For further information please contact your BMC representative.
BMC EU Personal Data Transfers Q&A - Rev. 2021-07-30