The EU-U.S. Data Privacy Framework (DPF) represents an agreement between the European Commission and the United States executive branch, designed to facilitate trans-Atlantic data flows while ensuring data protection for European individuals. This framework has been further strengthened by the Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities.
Esri's Compliance
Esri aligns its practices with the EU-U.S. Data Privacy Framework (DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as established by the U.S. Department of Commerce. Esri has formally certified to the U.S. Department of Commerce that it adheres to the principles set forth in these frameworks regarding the processing of personal data.
Our certification extends to personal data we receive from the European Union under the DPF, from the United Kingdom under the UK Extension to the DPF, and from Switzerland under the Swiss-U.S. DPF. These commitments affirm our dedication to protecting and responsibly handling personal data from these regions.
In cases where Esri transfers this data to third parties acting as agents on our behalf, we maintain responsibility for their processing of this data. Esri is liable under the DPF if such agents process personal information in a way that is inconsistent with the DPF, except where Esri can demonstrate that it is not responsible for the event leading to any damage.
For regulatory oversight, Esri operates under the investigatory and enforcement authority of the U.S. Federal Trade Commission (FTC), affirming our commitment to adhere to privacy standards.
Esri in-scope Services
The EU-US Data Privacy Framework (DPF) establishes critical safeguards for transferring personal data (PII) from the EU to the US. The framework's core tenets include transparency, purpose limitation, data minimization, security, access and rectification, and accountability for onward transfer, all of which are required for maintaining cross-border privacy engagements. Esri's approach to compliance with the DPF principles relevant to ArcGIS products is multi-faceted:
- Notice and Choice: ArcGIS adheres to clear data collection and processing practices outlined in our Privacy Statement and Data Processing Addendums. Cost-based products provide the additional assurance of no targeting cookies for additional privacy assurance.
- Accountability for Onward Transfers: Esri acts as a "qualified entity" under the DPF, accepting responsibility for onward transfers and implementing due diligence procedures for sub-processors.
- Security: Esri has implemented and maintains appropriate technical, organizational, and physical safeguards to protect personal data. This includes measures like data minimization, data retention, and regular security assessments to ensure the protection of data transferred from the EU to the US.
- Data Integrity and Purpose Limitation: ArcGIS processes data only for permitted and functionality purposes and minimizes data collection to relevant needs. We implement data quality measures to ensure accuracy and completeness. .
- Access: ArcGIS provides self-service and customer support channels for individuals to exercise their data access, rectification, and deletion rights, as stipulated by the DPF.
- Data Minimization: Our products are designed to operate with minimal personal data requirements. Esri solutions do not necessitate extensive personal information for functionality.
Resources
Esri's DPF Notice of Certification (Public Department of Commerce Site)
DPF overview (Public Department of Commerce Site)
Esri Legal Privacy(Public)