Dynatrace compliance with General Data Protection Regulation for EU citizens

Version 1.0 (February 1, 2018)

The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. GDPR improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.

GDPR rights for EU citizens

GDPR defines the following rights for EU citizens:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to object
  • Right to erasure (“the right to be forgotten”)
  • Right to data portability
  • Right to restrict processing
  • Rights regarding automated decision-making and/or profiling

Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn’t, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring. For these reasons, Dynatrace is and must be GDPR compliant.

Data controllers and data processors

GDPR differentiates between data controllers and data processors.

  • A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
  • A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.

Real User Monitoring (RUM) and personal data

The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:

  • Record minimal personal data and process it safely.
  • Adhere to obligations that ensure rights, such as the right to information and the right to be forgotten.

When Dynatrace products capture personal data, it’s typically through the use of Real User Monitoring (RUM), also known as User Experience Monitoring (UEM).

RUM captures performance metrics from inside a user’s browser and offers the ability to identify and track each user session, including entire click paths. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected.

What our software does with personal data:

  • RUM mainly captures URLs and IP addresses, as required for performance management. RUM can be configured to capture usernames, user IDs, and other personal data to provide better detail about user sessions that experience performance problems.
  • RUM tracks click paths but it doesn’t track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
  • Collected data ages out and is automatically deleted over time, typically within a few weeks. So, an EU citizen’s “right to erasure” is handled by default.

User notification of data storage

Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users’ information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice. We, therefore, recommend that customers review and update their Privacy Notices before using our products and services. If customers wish to explain more about what Dynatrace is and what information we collect, customers may refer users to our Privacy Policy. Although we should note that we are currently reviewing and updating our Privacy Policy for the purposes of our own compliance with the GDPR prior to May 25, 2018. Dynatrace additionally recommends the following RUM settings (assuming that these settings aren’t superseded by other legal requirements faced by your organization).

Data privacy settings

  1. Go to Settings ▶ Web and mobile monitoring ▶ Data privacy.
  2. Enable the IP address masking setting. IP address masking reduces geographic accuracy while still providing for valuable statistical analysis.
  3. Enable the User action name masking setting. This helps you anonymize HTML elements that may contain personal data.

User tags

Ensure that your organization constructs user tags so that they aren’t built upon personal data. Each actively defined user tag in your environment can potentially collect personal data. Only the bare minimum of personal data should be gathered and this information should not be used as the basis for tagging.

HTTP headers

For each of your monitored applications, disable the Ignore do not track HTTP headers setting. This allows users to opt out if they don’t want to be tracked.

To disable the Ignore do not track HTTP headers setting for an application:

  1. Select Applications from the navigation menu.
  2. Select the application you want to configure.
  3. On the application page, click the […] Browse button and select Edit.
  4. Select the Advanced setup tab and scroll down to the Ignore do not track HTTP headers setting.
  5. Set the Ignore do not track HTTP headers switch to the Off position.

Log Analytics

RUM and Log Analytics may capture personal data in unplanned situations. For example, personal data may be included in a stack trace, crash dump, or error log. In such situations, personal data is collected solely to provide high-quality service and performance monitoring. We use such data only in exceptional situations (for example, following crashes or to resolve support requests).

Unintended data collection

Through improper implementation or configuration, it’s possible that a web application may perform unintended data collection. It’s the responsibility of each organization to ensure that personal data is captured responsibly.

How Dynatrace provides GDPR compliance

Dynatrace products provide support for GDPR compliance in the following ways:

  • Right to be informed: Users may want to understand what data are collected about them. Dynatrace products have query functions that support this, and session results can be exported to formats such as JSON for analysis.
  • Right for erasure (also known as, the right to be forgotten): Users may want their data to be deleted. This feature isn’t currently available, but Dynatrace will provide it in an upcoming release. Meanwhile, session data has a relatively low retention period, and GDPR gives data processors 30 days to process each customer request.
    • For Dynatrace® SaaS, the data retention period is 35 days.
    • In AppMon, the data retention period can be set by customers to a maximum of 30 days.
  • Right to restrict processing: This is supported by the “do not track” browser option and the requirement that users accept RUM tracking before JavaScript is injected into their browsers to enable RUM.
  • Right to data portability: Users may want to change platforms and take their data with them. This isn’t relevant in Application Performance Monitoring (APM) because RUM sessions are the property of the data controller. Users have no need to export their click paths and import them into other web applications.
  • Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn’t relevant in Application Performance Monitoring because RUM sessions are read-only transaction recordings. If, for example, a user’s name is spelled incorrectly, the error doesn’t need to be corrected because the data won’t be used for any other purpose in the future.
  • Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data.
    • Dynatrace SaaS deployments encrypt all customer data by default and therefore fulfill this requirement as a data processor.
    • For Dynatrace® Managed on-premises deployments and AppMon, the operators are responsible for using appropriate protection such as transparent hard-disk encryption.