Adobe & GDPR.

Adobe & The General Data Protection Regulation (GDPR/DSGVO).

The General Data Protection Regulation (GDPR) came into full effect on May 25, 2018. As part of Adobe’s GDPR readiness project, we are enhancing our products, services, and processes, as necessary. With compliance being a shared responsibility, we look forward to partnering with you to address any new obligations for data governance and privacy by design features.

Adobe provides products and services. Is Adobe then responsible for the data or does the company only process it?

When Adobe is providing software and services to an enterprise, Adobe is acting as a data processor for any personal data it processes. As a data processor, Adobe only processes personal data in accordance with your company’s permission and instructions (for example, as set out in your agreement with Adobe).

What personal data does Adobe process?

As the data controller, you will determine the personal data that Adobe processes and stores on your behalf. If you use Adobe Creative Cloud or  Adobe Document Cloud hosted services, you may upload content which includes personal data—for example, forms, contracts, photos and artwork containing people. Adobe’s Creative Cloud and Document Cloud hosted services include the storage of this personal data.

If you use our Adobe Experience Cloud solutions, Adobe may host personal data for you depending on the solutions you use and the information you choose to send to your Adobe Experience Cloud account. Detailed examples can be found here.

WHAT IS ADOBE DOING TOWARDS COMPLIANCE?

Integrated data protection

Practice of incorporating Privacy by Design in the development of our products and services. For example, we provide the capability in Adobe Analytics, Adobe Audience Manager, and Adobe Target to obfuscate IP addresses and allow individual level opt-outs.

 

Security measures

Adobe complies with generally recognised and industry-recognised standards, certifications and statutory requirements. Moreover, suitable technical and organisational measures have been taken (TOMs), and hundreds of security processes and control mechanisms implemented (Link).

We have developed the Adobe Common Controls Framework, a foundational framework of security processes and controls to protect Adobe infrastructure, applications and services. More information on Adobe’s Common Controls Framework can be found here.

Data transfer
Adobe is certified to the EU-US and Swiss-US Privacy Shield frameworks for customer-related data. Customers therefore have the choice if they would like their data transferred to Adobe US according to these certifications or EU Standard Contractual Clauses (also: EU Model Clauses). Further information can be found in Adobe’s Privacy Centre. You can also find out how to have the Standard Contractual Clauses sent to you here.
Contract conditions / Data Processing Agreement
We have updated Adobe’s Data Processing Agreement to account for the GDPR requirements.
Privacy Officer
Adobe currently has a Chief Privacy Officer, a Privacy Officer for Ireland and a special Privacy Team. 
Documenting privacy practices
Adobe is working to more formally document the privacy practices it has in place to comply with the extended record-keeping requirements.