Dynatrace compliance with GDPR for EU citizens

GDPR, the General Data Protection Regulation (effective in the European Union as of May 25, 2018) improves data protection for EU citizens by letting Dynatrace users control their personal data within social networks and in the cloud.

GDPR rights for EU citizens

GDPR defines the following rights for EU citizens:

  • Right to be informed
  • Right of access
  • Right to rectification
  • Right to object
  • Right to erasure ("the right to be forgotten")
  • Right to data portability
  • Right to restrict processing
  • Rights regarding automated decision-making and/or profiling

Companies use Dynatrace products to monitor the performance and quality of services such as web and mobile applications. Dynatrace doesn't, by default, track personal data, but such tracking is possible depending on individual environment configurations and the applications that they are monitoring.

Data controllers and data processors

GDPR differentiates between data controllers and data processors.

  • A data controller determines the purposes and means of the processing of personal data. Such companies, including those that use application performance monitoring, must ensure that personal data is collected and used in accordance with regulations.
  • A data processor processes personal data on behalf of a data controller. Dynatrace, for example, processes personal data for its customers in the course of providing application performance monitoring. Data processors must ensure that stored personal data is protected.

Real User Monitoring (RUM) and personal data

The recording of personal data is acceptable under GDPR as long as the data collection is proportionate. A data controller must:

  • Record minimal personal data and process it safely.
  • Adhere to obligations that ensure rights, such as the right to information and the right to be forgotten.

When Dynatrace products capture personal data, it's typically through the use of Real User Monitoring (RUM), also known as User Experience Monitoring (UEM).

RUM captures performance metrics from inside a user's browser and offers the ability to identify and track each user session, including entire click paths. This information is needed to monitor performance, provide high-quality service monitoring, and quickly resolve issues when problems are detected. For more details, see Personal data captured by Dynatrace.

Here is what our software does with personal data:

  • RUM mainly captures URLs and IP addresses, as required for performance management. RUM can be configured to capture usernames, user IDs, and other personal data to provide better detail about user sessions that experience performance problems.
  • RUM tracks click paths, but it doesn't track personal data such as birth dates, social security numbers, credit card numbers, pictures, and social preferences (unless explicitly configured to do so). This is because Dynatrace products are focused on clicks, response times, and service communication, not specific input values.
  • Collected data ages out and is automatically deleted over time, typically within a few weeks. So, a EU citizen's "right to erasure" is handled by default.

User notification of data storage

Customers are required to be transparent with their users and inform them of the ways in which they collect and use their users' information (typically by way of a Privacy Notice). Where customers engage any third parties to collect information about their users on their behalf (such as Dynatrace), whether for the purposes of application and behavioral analytics or otherwise, this should be made transparent in its Privacy Notice.

We, therefore, recommend that customers review and update their Privacy Notices before using our products and services. If customers wish to explain more about what Dynatrace is and what information we collect, customers may refer users to our Privacy Policy.

Real User Monitoring privacy settings

Dynatrace recommends the following RUM settings—assuming that these settings aren't superseded by other legal requirements faced by your organization.

For complete detail on all available RUM privacy settings for both web and mobile applications, see Configure Real User Monitoring according to GDPR

User opt-in mode

With opt-in mode enabled, the injected RUM JavaScript doesn't capture any data or set cookies. Data capture and cookie usage can, however, be enabled for individual users using the dtrum.enable() JavaScript API call. This allows you to implement an opt-in setting that enables your customers to comply with the data privacy standards of their region. For full details, see User opt-in mode

Do not Track HTTP headers

A technique for protecting end-user privacy that's supported by all web browsers is the Do Not Track HTTP header. With this setting enabled, browsers add an additional HTTP request header to all web requests they send. This header specifies that all user tracking must be disabled.

For details, see Do Not Track.

Unintended data collection

Through improper implementation or configuration, it's possible that a web application may perform unintended data collection. It's the responsibility of each organization to ensure that personal data are captured responsibly.

If you become aware of any unintended data collection, or have any concerns about data privacy, please contact us at privacy@dynatrace.com so that we can look into the details and work with you on a resolution.

Session Replay

Session Replay records all interactions that a user may have with your application. To avoid capturing potentially personal, confidential, or sensitive data, Session Replay offers a variety of configuration options, such as form field masking, content masking, and attribute masking.

Log Monitoring

RUM and Log Monitoring may capture personal data in unplanned situations. For example, personal data may be included in a stack trace, crash dump, or error log. In such situations, personal data is collected solely to provide high-quality service and performance monitoring. We use such data only in exceptional situations, for example, following crashes or to resolve support requests.

OneAgent and ActiveGate diagnostics

Support archives may contain personal data, for example, as part of a stack trace. Dynatrace masks some personal data like IBANs and URI credentials before storing support archives, but some personal data may not be masked. To ensure transparency in the use of support archives, Dynatrace writes audit log messages when support archives are created, analyzed, accessed, and deleted.

How Dynatrace provides GDPR compliance

Dynatrace products provide support for GDPR compliance in the following ways:

  • Right to be informed: Users may want to understand what data is collected about them. Dynatrace products have query functions that support this, and session results can be exported to formats such as JSON for analysis.

  • Right for erasure, also known as right to be forgotten: Users may want their data to be deleted. Session data has a relatively low retention period, and GDPR gives data processors 30 days to process each customer request.

    • For Dynatrace SaaS, the data retention period is 35 days.

    Note: You can anonymize data for specific users that are identifiable by criteria such as IP address or user tag. See Anonymization API for more details.

  • Right to restrict processing: This is supported by the "Do not Track" browser option and the requirement that users accept RUM tracking before the RUM JavaScript is injected into their browsers to enable RUM.

  • Right to data portability: Users may want to change platforms and take their data with them. This isn't relevant in Application Performance Monitoring (APM) because RUM sessions are the property of the data controller. Users have no need to export their click paths and import them into other web applications.

  • Right to rectification or objection: Users may want to change address information or fix incorrect information. This isn't relevant in Application Performance Monitoring because RUM sessions are read-only transaction recordings. If, for example, a user's name is spelled incorrectly, the error doesn't need to be corrected because the data won't be used for any other purpose in the future.

  • Data protection: GDPR specifically rules that state-of-the-art mechanisms be implemented to protect personal data.

    • Dynatrace SaaS deployments encrypt all customer data by default and therefore fulfill this requirement as a data processor.
    • For Dynatrace Managed on-premises deployments and AppMon, the operators are responsible for using appropriate protection, such as transparent hard-disk encryption.