Databricks has put together the guidance on this page to assist our customers in understanding their obligations and our obligations under privacy laws and regulations.
This information does not, and is not intended to, constitute legal advice. All information, content, and materials available below are for general informational purposes only.
[NEW] How does Databricks perform onward data transfers? — New Standard Contractual Clauses (SCCs) were published on June 4, 2021. what do I need to do now to lawfully transfer data from the EEA to Databricks?
Databricks’ Platform Services Data Processing Addendum (DPA) now uses the 2021 Standard Contractual Clauses to transfer personal data to countries outside of the EEA where necessary to provide the Databricks Services. Databricks is a global company and onward data transfers may be used in accordance with our DPA to provide the Platform Services, to provide support, and for our Subprocessors.
[NEW] If I am an existing Customer, does this mean I need to update my Agreements with Databricks?
The European Data Protection Board’s (EDPB) guidance on the 2021 Standard Contractual Clauses indicates that there is an 18-month grace period for existing data transfers until December 27, 2022. We believe that this means there is no action needed for existing Customers at this time provided that your current data processing agreement with Databricks contains a fall-back to the prior SCCs in the event Privacy Shield was invalidated (note that this was standard in our data processing agreements from 15 July 2019) or otherwise includes the prior SCCs. However, you should consult with your legal team to review the EDPB’s guidance. If you decide you would like to update your Agreement with Databricks, please execute our new Platform Services Data Processing Addendum and send it to firstname.lastname@example.org. Note that executing a new DPA will supersede your existing DPA as of the date we acknowledge receipt of the newly executed version.
If you have any questions, please reach out to the Databricks privacy team at email@example.com.
Privacy Shield was invalidated on July 16, 2020 — how can I lawfully transfer personal data from the EEA to Databricks?
The Court of Justice of the European Union (CJEU) ruled on 16 July 2020 in the Schrems II case that the EU-US Privacy Shield Framework is no longer a valid mechanism for companies to transfer personal data from the European Union to the United States. Practically, this means that companies that were relying on the Privacy Shield certification of a vendor to permit the transfer of personal data from the EU to the US must now rely on an alternate mechanism for transfer. Databricks relies on the 2021 Standard Contractual Clauses for onward data transfers, as of the data processing addendum released on September 25, 2021. Please see above for any questions on continued use of a prior data processing addendum.
General Privacy Information
What are Data Rights Requests?
Certain privacy laws and regulations provide a right for certain individuals (known as ‘data subjects’ under the GDPR or ‘consumers’ under the CCPA) to be able to receive or request action be taken with respect to certain personal data (also known as ‘personally identifiable information’ or ‘personal information’). We refer to these requests below generally as ‘data subject requests’.
Databricks has created many self-service features within our product to assist our Customers in complying with their legal obligations relating to the data they process within Databricks. The Databricks Platform can help you satisfy a data subject request with respect to data that you’re holding about a data subject by, for example, permitting you to delete notebooks and cells (including the command history) that may contain personal data.
Additionally, you (through the admin on your account) may request that we export or delete personal data on behalf of your users that we may hold. If we determine that a data subject request we receive directly relates to data about your users or the individual has let us know that they believe you hold data about them, we will attempt to notify you prior to responding to such request. Please contact us at firstname.lastname@example.org with any questions.
Does Databricks have a data processing agreement?
Databricks offers a standalone data processing agreement to comply with certain data protection laws that contains our contractual commitments with respect to applicable data protection and privacy law. If your company determines that you require terms with us relating to an applicable data protection or privacy regulation and you do not yet have in place a data processing addendum (DPA) with us, please review and complete the instructions on our DPA.
Please note that if you have previously executed a DPA with Databricks, it is likely that the DPA already contains sufficient provisions to meet the requirements of the California Consumer Privacy Act’s provisions relating to agreements between a business and a service provider in order to avoid our processing of any personal data contained within your customer data being deemed a ‘sale’ under the CCPA. If you are concerned that it does not, please either execute a new DPA with Databricks (available at https://databricks.com/dpa) or reach out to us at email@example.com with any questions you may have.
Can using Databricks help me comply with applicable data protection laws, like the GDPR or CCPA?
While there’s no product out there that can make you GDPR- or CCPA- compliant by itself, Databricks offers some truly unique functionality that may help you with your privacy compliance, particularly if you’re using data lakes to store personal data that might be subject to a data subject request (DSR). Please see the blog we posted on this for GDPR (and here, for CCPA) and a webinar where we discuss how using Databricks Delta Lake can help you process DSRs in a data lake scenario that might otherwise be nearly impossible.
Additionally, one of the most important steps Databricks takes to help you be GDPR and CCPA compliant is that we minimize the amount of data that we actually receive from you in the first place. Databricks is architected to ensure that the vast majority of customer data, including personal data, does not leave the environments specified by the customer (e.g. their cloud storage). Unlike many vendors that require customers to copy customer data into the vendor’s environment, requiring a customer to worry that the supplier won’t properly respond to a deletion request in a sufficient time to allow the customer to meet prescribed GDPR or CCPA requirements, the Databricks platform is designed to allow customers to keep their data within their own cloud environment under their control. While some customer data (and therefore some personal data) may end up in notebooks, we provide self-service functionality to enable a customer to delete this information (e.g., in response to a data subject request). So when the customer is required to delete data under a data subject request, or wants to make sure that it knows where its data is, the customer can rest easy knowing that the processes and controls they have already set up for their data remain applicable when using the Databricks platform.
What are Databricks’ privacy features?
In particular, Databricks:
California Consumer Privacy Act (CCPA) Specific Information
What is the CCPA?
The California Consumer Privacy Act (“CCPA”) is a California privacy law intended to protect California consumers from businesses that improperly collect, use, or share their personal information, and is changing the way businesses have to manage and protect the consumer data they collect and store.
Is my company subject to the CCPA?
The CCPA is broadly applicable to businesses that operate in California. The CCPA covers businesses that:
The CCPA may also cover ‘service providers’ that work with businesses subject to the CCPA.
Does complying with the GDPR mean I am already compliant with the CCPA?
Many companies wrongfully think that the data privacy processes and controls put in place for GDPR compliance will guarantee compliance with the CCPA–and while the things you may have done to prepare for the GDPR are helpful and a great start–they are unlikely to be sufficient. Companies need to focus on understanding their need for compliance and must determine which processes and controls can effectively prevent the misuse and unauthorized sale of consumer data.
What does the CCPA require me to do?
Similar to the GDPR, the CCPA empowers individuals to request:
Additionally, the CCPA (unlike the GDPR) encompasses information about ‘households’. While the CCPA does not define what is meant by a ‘household’, this has potential to significantly expand the scope of personal information subject to these requests. Failure to comply in a timely manner can result in statutory fines and statutory damages (where a consumer need not even prove damages) that can rise quickly. The challenge for companies doing business in California or otherwise subject to the CCPA, then, is to ensure they can quickly find, secure, and delete that personal information
EU General Data Protection Regulation (GDPR) Specific Information
What is the GDPR?
GDPR stands for the EU General Data Protection Regulation, and it codifies certain rights related to personal data originating from the European Economic Area (EEA). The GDPR replaces the EU Data Protection Directive (aka Directive 95/46/EC), an EU directive that had been in place regarding data protection since 1995. The GDPR is a regulation, rather than a directive, meaning that instead of prescribing results that must be obtained and allowing each member state of the EU to put in place its own laws, the GDPR mostly harmonizes the approach for data protection and privacy throughout the entire EEA by imposing specific requirements that must be met. It comes into force on May 25, 2018.
Is my company subject to the GDPR?
The short answer is almost certainly yes. You should confirm with your privacy legal counsel, but with few exceptions, the GDPR applies to any company that collects or processes personal data of individuals located in the EEA.
What does the GDPR require me to do?
The GDPR is extraordinarily complex (the regulation spans 99 articles across 88 pages of dense legal text). However, the obligations imposed by the GDPR boil down to seven core principles:
How can I contact Databricks’ EU representative?
Databricks has appointed a representative in the EU in accordance with Article 27 of the GDPR. You may contact our representative at firstname.lastname@example.org