Legal

Databricks has put together the guidance on this page to assist our customers in understanding their obligations and our obligations under privacy laws and regulations.

Disclaimer

This information does not, and is not intended to, constitute legal advice. All information, content, and materials available below are for general informational purposes only.

[NEW] Will Databricks process my data deletion request if it is through a third party?

Databricks will process valid data deletion (and other rights) requests. You can exercise your data rights by emailing [email protected]. There are several third party services that claim they’ll automate data rights requests and help you exercise your rights. However, these services frequently require companies like Databricks to join a network, accept their terms, and provide additional personal data about you back to the services. Because we value your privacy and the security of your information, we treat these requests as spam and will not send these companies additional information about you, and accordingly will not be able to process any data subject requests received through such services.

How does Databricks perform onward data transfers? — New Standard Contractual Clauses (SCCs) were published on June 4, 2021. what do I need to do now to lawfully transfer data from the EEA to Databricks?

Databricks’ Platform Services Data Processing Addendum (DPA) now uses the 2021 Standard Contractual Clauses to transfer personal data to countries outside of the EEA where necessary to provide the Databricks Services. Databricks is a global company and onward data transfers may be used in accordance with our DPA to provide the Platform Services, to provide support, and for our Subprocessors.

If I am an existing Customer, does this mean I need to update my Agreements with Databricks?

The European Data Protection Board’s (EDPB) guidance on the 2021 Standard Contractual Clauses indicates that there is an 18-month grace period for existing data transfers until December 27, 2022. We believe that this means there is no action needed for existing Customers at this time provided that your current data processing agreement with Databricks contains a fall-back to the prior SCCs in the event Privacy Shield was invalidated (note that this was standard in our data processing agreements from 15 July 2019) or otherwise includes the prior SCCs. However, you should consult with your legal team to review the EDPB’s guidance. If you decide you would like to update your Agreement with Databricks, please execute our new Platform Services Data Processing Addendum and send it to [email protected]. Note that executing a new DPA will supersede your existing DPA as of the date we acknowledge receipt of the newly executed version.

If you have any questions, please reach out to the Databricks privacy team at [email protected].

Privacy Shield was invalidated on July 16, 2020 — how can I lawfully transfer personal data from the EEA to Databricks?

The Court of Justice of the European Union (CJEU) ruled on 16 July 2020 in the Schrems II case that the EU-US Privacy Shield Framework is no longer a valid mechanism for companies to transfer personal data from the European Union to the United States. Practically, this means that companies that were relying on the Privacy Shield certification of a vendor to permit the transfer of personal data from the EU to the US must now rely on an alternate mechanism for transfer. Databricks relies on the 2021 Standard Contractual Clauses for onward data transfers, as of the data processing addendum released on September 25, 2021. Please see above for any questions on continued use of a prior data processing addendum.

General Privacy Information

What are Data Rights Requests?

Certain privacy laws and regulations provide a right for certain individuals (known as ‘data subjects’ under the GDPR or ‘consumers’ under the CCPA) to be able to receive or request action be taken with respect to certain personal data (also known as ‘personally identifiable information’ or ‘personal information’). We refer to these requests below generally as ‘data subject requests’.

Databricks has created many self-service features within our product to assist our Customers in complying with their legal obligations relating to the data they process within Databricks. The Databricks Platform can help you satisfy a data subject request with respect to data that you’re holding about a data subject by, for example, permitting you to delete notebooks and cells (including the command history) that may contain personal data.

Additionally, you (through the admin on your account) may request that we export or delete personal data on behalf of your users that we may hold. If we determine that a data subject request we receive directly relates to data about your users or the individual has let us know that they believe you hold data about them, we will attempt to notify you prior to responding to such request. Please contact us at [email protected] with any questions.

Does Databricks have a data processing agreement?

Databricks offers a standalone data processing agreement to comply with certain data protection laws that contains our contractual commitments with respect to applicable data protection and privacy law. If your company determines that you require terms with us relating to an applicable data protection or privacy regulation and you do not yet have in place a data processing addendum (DPA) with us, please review and complete the instructions on our DPA.

Please note that if you have previously executed a DPA with Databricks, it is likely that the DPA already contains sufficient provisions to meet the requirements of the California Consumer Privacy Act’s provisions relating to agreements between a business and a service provider in order to avoid our processing of any personal data contained within your customer data being deemed a ‘sale’ under the CCPA. If you are concerned that it does not, please either execute a new DPA with Databricks (available at https://databricks.com/legal/dpa) or reach out to us at [email protected] with any questions you may have.

Can using Databricks help me comply with applicable data protection laws, like the GDPR or CCPA?

While there’s no product out there that can make you GDPR- or CCPA- compliant by itself, Databricks offers some truly unique functionality that may help you with your privacy compliance, particularly if you’re using data lakes to store personal data that might be subject to a data subject request (DSR). Please see the blog we posted on this for GDPR (and here, for CCPA) and a webinar where we discuss how using Databricks Delta Lake can help you process DSRs in a data lake scenario that might otherwise be nearly impossible.

Additionally, one of the most important steps Databricks takes to help you be GDPR and CCPA compliant is that we minimize the amount of data that we actually receive from you in the first place. Databricks is architected to ensure that the vast majority of customer data, including personal data, does not leave the environments specified by the customer (e.g. their cloud storage). Unlike many vendors that require customers to copy customer data into the vendor’s environment, requiring a customer to worry that the supplier won’t properly respond to a deletion request in a sufficient time to allow the customer to meet prescribed GDPR or CCPA requirements, the Databricks platform is designed to allow customers to keep their data within their own cloud environment under their control. While some customer data (and therefore some personal data) may end up in notebooks, we provide self-service functionality to enable a customer to delete this information (e.g., in response to a data subject request). So when the customer is required to delete data under a data subject request, or wants to make sure that it knows where its data is, the customer can rest easy knowing that the processes and controls they have already set up for their data remain applicable when using the Databricks platform.

What are Databricks’ privacy features?

In particular, Databricks:

• offers functionality within our product for our customers to be able to permanently delete notebooks and cells, along with the corresponding revision history, that may contain personal data, and making sure that, once marked for deletion, those contents are permanently purged within 30 days after being marked for deletion without any need for customers to take additional action;
• implemented pseudonymization techniques (in short – splitting user-specific records into a piece that cannot, by itself, identify the particular individual and a separately stored piece that can be used to return the data to an identifiable form only when needed) and redaction techniques to add an additional layer of protection on personal data (like a user email address) that might be recorded in Databricks’ usage logs;
• offers Databricks Delta Lake, a unified data management system built into the Databricks platform, that dramatically simplifies the task of being able to perform data subject requests against data stored in data lakes; and
• has put in place systems to be able to process data subject requests in a timely manner; and
• self-certified to Privacy Shield, certified to ISO27001, and attested to ISO27018, the internationally recognized industry standard approach for protecting personal data in the cloud. Additionally, on an annual basis, Databricks obtains an independently audited SOC 2 Type II report, which can be made available to you under NDA.

California Consumer Privacy Act (CCPA) Specific Information

What is the CCPA?

The California Consumer Privacy Act (“CCPA”) is a California privacy law intended to protect California consumers from businesses that improperly collect, use, or share their personal information, and is changing the way businesses have to manage and protect the consumer data they collect and store.

Is my company subject to the CCPA?

The CCPA is broadly applicable to businesses that operate in California. The CCPA covers businesses that:

1. Have annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185
2. Alone or in combination, annually buy, receive for the business’s commercial purposes, sell, or share for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
3. Derive 50 percent or more of its annual revenues from selling consumers’ personal information.

The CCPA may also cover ‘service providers’ that work with businesses subject to the CCPA.

Does complying with the GDPR mean I am already compliant with the CCPA?

Many companies wrongfully think that the data privacy processes and controls put in place for GDPR compliance will guarantee compliance with the CCPA–and while the things you may have done to prepare for the GDPR are helpful and a great start–they are unlikely to be sufficient. Companies need to focus on understanding their need for compliance and must determine which processes and controls can effectively prevent the misuse and unauthorized sale of consumer data.

What does the CCPA require me to do?

Similar to the GDPR, the CCPA empowers individuals to request:

• what personal information is being captured,
• how personal information is being used, and
• to have that personal information deleted.

Additionally, the CCPA (unlike the GDPR) encompasses information about ‘households’. While the CCPA does not define what is meant by a ‘household’, this has potential to significantly expand the scope of personal information subject to these requests. Failure to comply in a timely manner can result in statutory fines and statutory damages (where a consumer need not even prove damages) that can rise quickly. The challenge for companies doing business in California or otherwise subject to the CCPA, then, is to ensure they can quickly find, secure, and delete that personal information

EU General Data Protection Regulation (GDPR) Specific Information

What is the GDPR?

GDPR stands for the EU General Data Protection Regulation, and it codifies certain rights related to personal data originating from the European Economic Area (EEA). The GDPR replaces the EU Data Protection Directive (aka Directive 95/46/EC), an EU directive that had been in place regarding data protection since 1995. The GDPR is a regulation, rather than a directive, meaning that instead of prescribing results that must be obtained and allowing each member state of the EU to put in place its own laws, the GDPR mostly harmonizes the approach for data protection and privacy throughout the entire EEA by imposing specific requirements that must be met. It comes into force on May 25, 2018.

Is my company subject to the GDPR?

The short answer is almost certainly yes. You should confirm with your privacy legal counsel, but with few exceptions, the GDPR applies to any company that collects or processes personal data of individuals located in the EEA.

What does the GDPR require me to do?

The GDPR is extraordinarily complex (the regulation spans 99 articles across 88 pages of dense legal text). However, the obligations imposed by the GDPR boil down to seven core principles:

1. Lawfulness, fairness and transparency. Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject
2. Purpose limitation. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
3. Data minimisation. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
4. Accuracy. Personal data shall be accurate and, where necessary, kept up to date
5. Storage limitation. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
6. Integrity and confidentiality. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
7. Accountability. The controller shall be responsible for, and be able to demonstrate compliance with the GDPR.

How can I contact Databricks’ EU representative?

Databricks has appointed a representative in the EU in accordance with Article 27 of the GDPR. You may contact our representative at [email protected]

Additional Resources

• Make your Data Lake CCPA Compliant
• How to avoid drowning in DSRs in a data lake
• GDPR Webinar
• GDPR Compliance Primer
• Databricks Documentation