GDPR Compliance Statement

WatchGuard’s GDPR Compliance Statement (“Statement”) explains how we address GDPR compliance. It should be read in conjunction with our Privacy Policy and other resources available at WatchGuard’s Trust Center. If you have any questions about the Statement or our data protection practices, please reach out to [email protected].

GDPR Principles We Are Committed To

Transparency, Fairness and Lawfulness: We process personal data after establishing appropriate lawful bases for such processing. We consider how data processing may affect data subjects, how data subjects would reasonably expect us to handle their data, and how we can meet transparency obligations. We keep our Privacy Policy, Cookie Policy as well as in-product privacy notices up to date, and fulfill data subjects’ access requests.

Purpose Limitation: We process personal data to provide services to our customers and for other purposes identified in our Privacy Policy. Personal data is processed for the purposes it was collected for or with data subjects’ consent.

Data Minimization, Storage Limitation and Accuracy: We collect data we actually need for our specified purposes. We periodically review the data we hold and delete data we no longer need. When we remove data from our systems, we do so by using industry-approved standards. Keeping data accurate is also important to us. We comply with the data subjects’ right to rectification and carefully consider any challenges to the accuracy of the personal data.

Data Integrity and Confidentiality: We are committed to ensure that we have appropriate security measures in place to protect the personal data we store and process. Our Technical and Organizational Security Measures can be viewed in Annex 3 of our Data Processing Addendum. Product certifications, including our ISO/IEC 27001:2013 certificate, can be found on our Product Certifications page. WatchGuard has also established an incident response plan and process in case of personal data breach.

Accountability: We have detailed policies and secure systems in place designed to ensure proper data protection and accountability. secjur GmbH, our external DPO, oversees our overall compliance with data protection regulations.

Steps We Have Taken to Comply With GDPR

Data Subject Requests. Where WatchGuard acts as a controller, we fulfill data subjects’ privacy rights requests according to our internal GDPR Requests Policy. Data subjects can submit a request as outlined in our Privacy Policy by emailing [email protected]. Where we act as a processor, we promptly redirect data subjects to a relevant business customer who acts as controller.

Privacy Review of Products and Services. We conduct internal review of new products and services to ensure that the underlying data processing meets GDPR requirements and, where applicable, is properly described in our privacy notices. We endeavor to implement new features that give our customers more control over data and ease their own burden of achieving GDPR compliance.

Vendor Due Diligence. WatchGuard vendors and sub-processors are required to enter into written agreements with WatchGuard that satisfy the requirements of applicable data protection law (including the GDPR). We conduct due diligence designed to ensure that such vendors and sub-processors can provide protections that are essentially equivalent to those provided to our customers by us. A list of WatchGuard sub-processors can be viewed here.

Customer Contractual Obligations. Our Customer Data Processing Addendum is incorporated by reference into our standard customer facing agreements. If you would like to have a signed version, please contact us at [email protected].

Data Transfers. Where we process customer data in the United States in order to provide the services, the WatchGuard Data Processing Addendum incorporates the 2021 Standard Contractual Clauses ("SCCs"). This means that the SCCs apply automatically for all customers who use our services to process customer data outside the EEA, as well as the UK and Switzerland.

DPIAs. Where required, we conduct Data Protection Impact Assessments (“DPIAs”). The results are communicated to the relevant teams and help us establish appropriate controls on data processing and management.

Security Measures. WatchGuard has an internal Information Security Policy that establishes a security program to ensure that WatchGuard adopts best practices to safeguard our customer data. Our Technical and Organizational Security Measures can be viewed in Annex 3 of our Data Processing Addendum and product certifications, including our ISO/IEC 27001:2013 certificate, can be found on our Product Certifications page. We improve our data security measures and controls based on the internal security reviews, internal reviews of products and services, as well as the DPIAs.

Incident Response. To ensure appropriate response to data incidents, we follow our incident response plan and process. All incidents are tracked regardless of whether they amount to personal data breach. In the event of personal data breach, WatchGuard will notify data protection authorities, data subjects or our business customers as applicable and depending on our role in relation to the data.

Contact Information

If you have any questions about this Statement, please email [email protected] or as specified below:

By mail:
WatchGuard Technologies, Inc.
Attn: Legal Department
255 S. King St.
Suite 1100
Seattle WA 98104
USA

In Europe by registered post:
Panda Security
Attn: Legal Department
Calle Santiago de Compostela 12, 1ª planta
48003 Bilbao, Bizkaia
Spain

Please note that you may also submit your requests or complains directly to our DPO at [email protected].