GDPR
The EU General Data Protection Regulation (GDPR) applies to a ‘company’1 whenever the personal information of people within the European Union is present in a company’s data and IT systems. Consequently, GDPR has had a transformative effect on the way companies manage and secure personal data.
Avira and its technology partners exchange information with the purpose of providing a cyber security service. If the data transferred contains the personal information of people within the European Union, both companies have the responsibility to ensure GDPR compliance.
It is important that the business relationship between Avira and a technology partner is structured to meet GDPR. Here, we provide some general guidance describing how this can be achieved. We will address Data Handling, Data Processing, and partner Licensing Agreements.
1 GDPR refers to ‘natural or legal person, public authority, agency or other body’. For the purposes of this article, we will refer to ‘company’ as it aligns best with the intended readership.
Data Privacy at Avira
At Avira, we understand the importance of our customers’ data. ‘Protecting people in the digital world’ is at the heart of our business. We are committed to our customers’ and partners’ success, and this includes compliance with GDPR.
Avira has taken a comprehensive approach to our GDPR compliance activities. Our services are designed to protect proprietary content and data.
Data Handling
Avira licenses a number of services and solutions to our technology partners that will result in the transfer of data. Some of these services may result in the transfer of personal information from the partner to Avira.
Avira’s anti-malware services do not transfer any personal data (pD) to a technology partner. These include all APIs, SDKs, threat feeds, scan engine updates, database updates and virtual appliance image updates.
Data Processing
Executable or Document files are transferred to Avira’s cloud security service for analysis.
The upload enables the file (or URL) to be evaluated for any threat or malware that may be present. The data within the file is ‘processed’ for the purposes of malware analysis. Any personal data contained within the file is not ‘processed’ in terms of GDPR Article 4, Part 4. In most cases, the technology partner also does not ‘process’ the personal data.
For these reasons, the relationship between Avira and a technology partner is normally that of Joint Data Controllers. As Joint Data Controllers, Avira and the technology partner determine the purposes and means of processing the personal data. In this case the purpose is ‘cyber security’ and the means of processing are the malware analysis engines applied within the Avira Protection Cloud.
License Agreements
We recommend that our OEM / technology partners ensure that their licensing agreements / end user license agreements explicitly state that they will share data with Avira for the purpose of proving a cyber and information security service.
