LogMeIn & GDPR FAQs
Looking to understand how LogMeIn is approaching GDPR? Here are answers to some of our most frequently asked GDPR questions:
Q) As a US company, does LogMeIn need to follow the GDPR?
A) Yes. As a global software-as-a-service provider, we have many customers in the EU (and European Economic Area or EEA) which means the GDPR applies equally to us. Therefore, we will be compliant with the applicable provisions of GDPR no later than May 25, 2018.
Q) I've read of ‘data controllers’ and ‘data processors’. What’s the difference and which one is LogMeIn?
A) To paraphrase the formal text: (a) a Data Controller is the owner of their information and decides how that information should be used; and (b) a Data Processor is a person or entity who processes the personal data of the Data Controller and carries out instructions of the Controller regarding this data. Generally speaking, our customers will be the Controllers of their Content (as the term is defined in our Terms of Service), including any associated personal information they place or generate in our systems, and LogMeIn will be the Processor on their behalf. In some limited and disclosed instances, such as when we collect data from a customer to create an account, LogMeIn will be the Controller. Formal definitions from the GDPR full text may be found here: http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
Q) Does the GDPR stop a company from storing information outside of the EU?
A) No, there is nothing in the current GDPR regulation that prevents or suggests this requirement. The GDPR does outline that Data Processors must protect personal data appropriately, regardless of where it is stored. Further, the GDPR does not invalidate or override the EU Model Clauses (which are part of LogMeIn’s GDPR-compliant DPA) or the EU-U.S. Privacy Shield Framework, which are both valid mechanisms to ensure the legal transfer of personal data into and out of the EU.
Q) When do GDPR regulations become “in force”?
A) May 25, 2018
Q) Where do you store my information?
A) Customer Content storage locations (and geo-residency functionality) will vary from product to product. We strongly encourage you to review our Security and Privacy Organizational Controls, located on our GDPR Resource Center to find out more about the specific products. GDPR does require certain safeguards and principles be considered when handling personal data, but there is no requirement for EEA data or EU data to be stored solely in Europe. Please consult our GDPR compliance webpage for further details on how LogMeIn maintains appropriate personal data transfer mechanisms, such as the EU-U.S. and Swiss Privacy Shield.
Q) How can I delete my data from your servers?
A) Many of our products offer self-service options for Content deletion. To the extent self-service is not offered, please contact Support for assistance. Further, our global products have defined retention periods after which Content and relevant account information are generally removed following account cancellation, termination/expiration, or, for free products, after inactivity. Please check the relevant Security and Privacy Organizational Controls document, found on our GDPR Resource Center, for specific details for each of our global offerings.
Q) How can I receive confirmation that my data has been deleted?
A) We encourage you to check for self-service deletion capabilities which is the quickest way to ensure your data has been deleted. If your product does not offer self-service capabilities and you have sent a request for account deletion to our support team, you will receive confirmation once that deletion has occurred. Otherwise, deletion will occur per our standard retention periods. Please check the relevant Security and Privacy Organizational Controls document, found on the GDPR Resource Center for more details.
Q) Is a new GDPR-compliant version of my product available?
A) If you are using the current version of our hosted products, GDPR-related changes have already been made available. As a general best practice, checking regularly for updates (or enabling auto-updating, where available) to the extent that there are components or executables on your machine (e.g. LastPass browser extensions) will ensure that you are using the most up-to-date versions of our software.
Q) How long is my data saved?
A) LogMeIn’s global hosted product offerings have built-in data retention and deletion periods and some products offer self-service deletion capabilities. Please check the relevant Security and Privacy Organizational Controls document, found on the GDPR Resource Center, for more details. As always, you may also request Content and account deletion at any time.
Q) Do you offer a data processing agreement?
A) Yes! LogMeIn is pleased to offer a revised GDPR-compliant Data Processing Addendum (DPA) incorporating: (1) the EU Standard Contractual Clauses (also known as the EU Model Clauses); (2) LogMeIn’s Technical and Organizational Data Security Measures; and (3) a GDPR-specific addendum. This GDPR-compliant DPA ensures that any transfer of personal data outside the European Economic Area in connection with your relationship with LogMeIn will be performed in compliance with the GDPR.
Q) Where do you store data in the event of a failover?
A) LogMeIn utilizes multiple co-location facilities to ensure optimal service availability and reliability. For global services utilizing co-location facilities, active-active redundant data centers are typically used within the same geographic region. For specific products, geo-residency functionality may be offered. To learn more, please check the product-specific Security and Privacy Organizational Controls, found on the GDPR Resource Center for more details.
NOTE: The above information is provided by LogMeIn for informational purposes only and is not intended to serve as legal advice. You should contact your attorney to obtain advice with respect to any particular GDPR questions, issues or problems.