This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

EDIT: Sophos Connect telemetry collection DOES NOT break EU GDPR Laws

Please be aware that telemetry data collection user have to agree during installation MUST be optional. Also sending this data to not EU servers is not lawful anymore https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091de.pdf



Changed subject to reflect corrected information
[locked by: AlanT at 8:13 PM (GMT -7) on 22 Sep 2020]
  • Hi Tom,  I will check with our legal team about this statement, but Sophos Connect has gone through legal and compliance reviews, including GDPR, prior to every release. Sophos takes GDPR compliance very seriously, and we will investigate whether any changes are needed here, or not. 

  • Hi ,

    Thanks again for sharing your concerns. I've checked with our legal team on this, and the good news is that Sophos Connect DOES NOT violate any GDPR regulations. Here is what they had to say:

    "Thank you for letting us know about your concerns. With the invalidation of Privacy Shield and other developments with respect to privacy around the world, we want to assure you that Sophos is processing customer data in a lawful manner that remains aligned with GDPR requirements and other applicable global privacy laws.

     

    In order to lawfully transfer personal data outside of the EU, an adequate data transfer mechanism must be used. Where Sophos does process personal data, Sophos relies on the Standard Contractual Clauses for the purposes of transferring personal data outside of the EU. This information is provided in our Sophos Group Privacy Notice under the International Transfers of Data section on the left hand side.  Sophos offers customers our standard Data Processing Addendum, which details our obligations with respect to personal data.

     

    Please feel free to contact us with additional questions about the Data Processing Agreement we have in place with you as a Customer.

     

    Additionally, telemetry data that Sophos collects and processes as a result of the use of Sophos Connect VPN is not considered personal data under GDPR. Our telemetry collection allows Sophos to provide the product to our customers and as such is not optional. Sophos processes this information based on contractual necessity, a recognized basis which may be relied upon to process data, recognized under GDPR."

    As such, I will have the subject of this thread changed, to prevent misunderstandings.

  • Hi Alan,

    thanks for recognizing this concerns and providing the statement from legal department. However, I do not share there opinion.


    According to the judgment, the United States do not provide adequate level of protection for personal data for EU citizen. I do not see that a company Privacy Notice of a single company can achieve this.

    Also because this is just one aspect of the data process from the new client, I will forward this to our national inspection authority for further investigation.

    Thanks
    Tom

  • Hi Tom, 

    This is an important topic, and you're entitled to your concerns, but this is a public forum, and opinion can be perceived as fact, all to easily. For that resason, I want to leave this thread with no doubt for others. In this case, the facts are very clear. 

    The Privacy Shield verdict does not apply to Sophos. Privacy Shield is a framework for data sharing with the EU and a number of countries, and that framework was invalidated in a recent ruling. However, GDPR allows for PII data to be shared outside of the EU, so long as proper safeguards are taken. This verdict is not a ruling against transmitting data to the US, only that the Privacy Shield framework does not meet the clearly defined GDPR standards, and cannot be used as a method to comply with GDPR. Sophos has made every effort to comply with GDPR standards, and is not reliant on Privacy Shield’s framework.

    But even if you are still in doubt, GDPR applies only to PII data. Sophos Connect telemetry does not contain PII data, and is not subject to GDPR. Sophos is able to legally transmit PII out of the EU by ensuring that GDPR regulations are followed, but with Sophos Connect telemetry, no PII is involved. 

    If you still have concerns, please contact me over PM, or you can raise your concerns directly with our compliance team, at dataprotection@sophos.com