AppMon compliance with General Data Protection Regulations for EU citizens

Version 1.0 (February 1, 2018)

The General Data Protection Regulation (GDPR) goes into effect in the European Union (EU) on May 25, 2018. GDPR improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.

GDPR rights for EU citizens

GDPR defines the following rights for EU citizens:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to object
  • Right to erasure ("the right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Rights regarding automated decision-making and/or profiling

Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn't, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring. For these reasons, Dynatrace is and must be GDPR compliant.

Data controllers and data processors

GDPR differentiates between data controllers and data processors.

  • A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
  • A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.

User Experience Management (UEM) and personal data

The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:

  • Record minimal personal data and process it safely.
  • Adhere to obligations that ensure rights, such as the right to information and the right to be forgotten.

When Dynatrace products capture personal data, it's typically through the use of User Experience Monitoring (UEM).

UEM captures performance metrics from inside a user's browser and offers the ability to identify and track each user session, including entire click paths. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected.

What our software does with personal data:

  • UEM mainly captures URLs and IP addresses, as required for performance management. UEM can be configured to capture usernames, user IDs, and other personal data to provide better detail about user sessions that experience performance problems.
  • UEM tracks click paths but it doesn't track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
  • Collected data ages out and is automatically deleted over time, typically within a few weeks. So, an EU citizen's "right to erasure" is handled by default.

User notification of data storage

Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users' information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice. We, therefore, recommend that customers review and update their Privacy Notices before using our products and services. If customers wish to explain more about what Dynatrace is and what information we collect, customers may refer users to our Privacy Policy. Although we should note that we are currently reviewing and updating our Privacy Policy for the purposes of our own compliance with the GDPR prior to May 25, 2018. Dynatrace additionally recommends the following RUM settings (assuming that these settings aren't superseded by other legal requirements faced by your organization).

User tags

Ensure that your organization constructs user tags so that they aren't built upon personal data. Each actively defined user tag in your environment can potentially collect personal data. Only the bare minimum of personal data should be gathered and this information should not be used as the basis for tagging.

Data privacy settings

AppMon provides a set of properties to care about end user privacy. You can find them in System Profile Preferences > Data Privacy. These settings include:

  • IP address masking: Reduces geographic accuracy while still providing for valuable statistical analysis.
  • Masking of user action names: Helps you anonymize HTML elements that may contain personal data.
  • Do Not Track support: Allows users to opt out if they don't want to be tracked.

See Security and privacy configuration to learn more.

Unintended data collection

Through improper implementation or configuration, it's possible that a web application may perform unintended data collection. It's the responsibility of each organization to ensure that personal data is captured responsibly.

How Dynatrace provides GDPR compliance

Dynatrace products provide support for GDPR compliance in the following ways:

  • Right to be informed: Users may want to understand what data are collected about them. Dynatrace products have query functions that support this, and session results can be exported to formats such as JSON for analysis.
  • Right for erasure (also known as, the right to be forgotten): Users may want their data to be deleted.
    • AppMon provides Visit anonymization REST API to anonymize visits in captured sessions.
    • The data retention period can be set by customers to a maximum of 30 days.
  • Right to restrict processing: This is supported by the "do not track" browser option and the requirement that users accept UEM tracking before JavaScript is injected into their browsers to enable UEM.
  • Right to data portability: Users may want to change platforms and take their data with them. This isn't relevant in Application Performance Monitoring (APM) because UEM sessions are the property of the data controller. Users have no need to export their click paths and import them into other web applications.
  • Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn't relevant in Application Performance Monitoring because UEM sessions are read-only transaction recordings. If, for example, a user's name is spelled incorrectly, the error doesn't need to be corrected because the data won't be used for any other purpose in the future.
  • Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data.
    • The customers are responsible for using appropriate protection such as transparent hard-disk encryption.