Meraki & GDPR

Data Controller: the entity responsible for making decisions regarding the processing of personal data that has the direct relationship with the individual data subject (i.e., when handling employee data, Cisco Meraki acts as the Data Controller.)

Data Processor: the natural or legal person processing personal data on behalf of the Data Controller. Importantly, GDPR significantly changes the level of responsibility and accountability of Data Processors. Under GDPR, Data Processors have direct liability and are subject to regulatory enforcement and civil actions. GDPR also imposes statutory obligations related to processing records, data breach notification processes and erasure of personal data. Notably, when providing products to our customers, Cisco Meraki acts primarily as a Data Processor with respect to customer personal data.

Personal Data: any information relating to an identified or identifiable natural person (i.e., the data subject).

Processing: any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Security is foundational to the design of all products and solutions at Meraki. According to the GDPR, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Meraki has invested heavily in building security into every layer of the dashboard. In accordance with requirements of the GDPR around security incident notifications, Meraki will continue to meet its obligations and offer contractual assurances. Some examples are:

• Out-of-band Control Plane. Only network management information (not user data) flows from devices to the Meraki cloud, dramatically limiting the amount of personal data that is transferred to the Meraki cloud.
• Networks configured to operate in the EU Cloud ensure that even the network management information is stored only in the European Economic Area (EEA), including failover and back-up. With best practices implemented, customers can prevent the transfer of any personal data outside the EEA.

More information about Meraki’s security and tools can be found here.

Meraki from time to time may partner with third party service providers who contract to provide the same level of data protection and information security that customers can expect from Meraki. Some of these third parties are engaged as “subprocessors” to process customer data, including limited personal data, in connection with providing you Meraki products, including the dashboard.

A list of Meraki’s subprocessors can be found here.

The GDPR provides for several mechanisms to facilitate transfers of personal data outside of the European Economic Area (EEA). These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Binding Corporate Rules (BCR)
Cisco’s BCR-C has been approved. Cisco’s data protection and privacy policies, standards, and related documentation (“BCR-C”) have been approved by the European data protection supervisory authorities.  This approval demonstrates that Cisco’s Data Protection & Privacy program is aligned with EU requirements, including GDPR.  Cisco’s BCR-C sets forth the mandatory, minimum standards for handling EU personal data by Cisco, as a data controller.  BCR-C approval serves as a legally valid transfer mechanism and commits Cisco to processing EU personal data in accordance with EU data protection standards anywhere in the world that Cisco operates.

EU-U.S. Data Privacy Framework, the U.K. Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework
Cisco is certified under three frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, processing, and cross-border transfer of personal data from the European Economic Area (EEA), the United Kingdom (and Gibraltar), and Switzerland, respectively. Cisco is committed to managing all personal data received from the EEA, United Kingdom (and Gibraltar), and Switzerland, in compliance with the requirements of the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the U.K. Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). Under EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF Cisco is responsible for the processing of personal data it receives and subsequently transfers to a third party. Cisco complies with the EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF for all onward transfers of personal data from the EEA, the United Kingdom (and Gibraltar), and Switzerland., including the onward transfer liability provisions. To learn more about EU-U.S. DPF, the U.K. Extension to the EU-U.S. DPF, and Swiss-U.S. DPF , visit the U.S. Department of Commerce’s Data Privacy Framework site.

Cisco Master Data Protection Agreement with EU Model Clauses
To protect the free movement of personal data (both Cisco’s and Cisco’s customers’) as needed around the world, we have made available a Master Data Protection Agreement (MDPA) we require from our suppliers and offer to our customers. This MDPA, includes EU Model Clauses which can be inserted where applicable. EU Model Clauses are standardized contractual clauses approved by the EU Commission to be used in agreements by EU-based data controllers to safely (and in compliance with EU requirements) transfer personal data outside of the EU to a non-EU data processor for handling.

The Meraki service is colocated in tier-1 data centers and select public service providers with certifications such as PCI, SOC 2, and ISO 27001. Visit our Data Center page to learn more.

Meraki maintains security incident management policies and procedures, including detailed security incident escalation procedures. If Meraki becomes aware of any unlawful destruction, loss, alteration or unauthorized disclosure of Customer Data (a “Security Incident”), then Meraki will notify Customer without undue delay and provide Customer with relevant information about the Security Incident, including the type of Customer Data involved, the volume of Customer Data disclosed, the circumstances of the incident, mitigation steps taken, and remedial and preventative action taken.

The Meraki cloud based architecture is designed from the ground up with data protection, privacy, and security in mind. With all new features and product, the Meraki team focuses on these pillars to ensure we provide the best, safest, and most secure solutions to our customers.

More information about privacy can be found here.

The Meraki dashboard contains several logging subsystems that each have unique data retention and export options available. Datasets like event, configuration, and analytics are used for different purposes (business intelligence, operations, risk management, etc.) and are reflected in the native logging capabilities. Data is kept in our systems and backups for no longer than 14 months. This period is set to enable our customers to do year over year reporting. For more information, see our Privacy Data Sheet.