GDPR, the General Data Protection Regulation (effective in the European Union as of May 25, 2018) improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.
GDPR rights for EU citizens
GDPR defines the following rights for EU citizens:
- Right to be informed
- Right of access
- Right to rectification
- Right to object
- Right to erasure ("the right to be forgotten")
- Right to data portability
- Right to restrict processing
- Rights regarding automated decision-making and/or profiling
Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn't, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring. For these reasons, Dynatrace is and must be GDPR compliant.
Data controllers and data processors
GDPR differentiates between data controllers and data processors.
- A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
- A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.
User Experience Management (UEM) and personal data
The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:
- Record minimal personal data and process it safely.
- Adhere to obligations that ensure rights, such as the right to information and the right to be forgotten.
When AppMon captures personal data, it's typically through the use of User Experience Monitoring (UEM).
UEM captures performance metrics from inside a user's browser and offers the ability to identify and track each user session, including entire click paths. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected.
What our software does with personal data:
- UEM mainly captures URLs and IP addresses, as required for performance management. UEM can be configured to capture usernames, user IDs, and other personal data to provide better detail about user sessions that experience performance problems.
- UEM tracks click paths but it doesn't track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
- Collected data ages out and is automatically deleted over time, typically within a few weeks. So, an EU citizen's "right to erasure" is handled by default.
User notification of data storage
Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users' information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice.
Dynatrace additionally recommends the following UEM settings (assuming that these settings aren't superseded by other legal requirements faced by your organization).
Ensure that your organization constructs visit tags so that they aren't built upon personal data. Each actively defined visit tag in your environment can potentially collect personal data. Only the bare minimum of personal data should be gathered and this information should not be used as the basis for tagging.
Data privacy settings
AppMon provides a set of properties to care about end user privacy. You can find them in System Profile Preferences > Data Privacy. These settings include:
- IP address masking: Reduces geographic accuracy while still providing for valuable statistical analysis.
- Masking of user action names: Helps you anonymize HTML elements that may contain personal data.
- Do Not Track support: Allows users to opt out if they don't want to be tracked.
See AppMon privacy configuration to learn more.
Unintended data collection
Through improper implementation or configuration, it's possible that a web application may perform unintended data collection. It's the responsibility of each organization to ensure that personal data are captured responsibly.
If you become aware of any unintended data collection, or have any concerns about data privacy, please contact us at firstname.lastname@example.org so that we can look into the details and work with you on a resolution.
How AppMon provides GDPR compliance
Dynatrace products provide support for GDPR compliance in the following ways:
- Right to be informed: Users may want to understand what data are collected about them. Dynatrace products have query functions that support this, and session results can be exported to formats such as JSON for analysis.
- Right for erasure (also known as, the right to be forgotten): Users may want their data to be deleted.
- Right to data portability: Users may want to change platforms and take their data with them. This isn't relevant in Application Performance Monitoring (APM) because UEM sessions are the property of the data controller. Users have no need to export their click paths and import them into other web applications.
- Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn't relevant in Application Performance Monitoring because UEM sessions are read-only transaction recordings. If, for example, a user's name is spelled incorrectly, the error doesn't need to be corrected because the data won't be used for any other purpose in the future.
- Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data.
- The customers are responsible for using appropriate protection such as transparent hard-disk encryption.