Privacy and GDPR

  • 30 September 2020
  • 17 replies
  • 7224 views

Hello,

 

We have a few question on GDPR and DPA (Data processing agreement). The US-EU privacy shield has been invalidated recently by the EU court of justice. Unfortunately, in your DPA you are still referring to this shield… but even more than this, in its decision, the European court of justice imposes the Data processors to indicate which supplementary measures are taken to ensure a good level of data protection next to the SCC. We tried to contact your DPO at privacy@miro.com to discuss this as it’s not mentioned in your online documentations but we still have no reply so far. Could someone support us here as it’s important to be GDPR compliant. Many thanks for your support!

Ekaterina Gabdulbarova 2 years ago

Hello!

I am Kate, Miro legal counsel. Regarding Privacy and GDPR:

Miro fully complies with the EU GDPR, CCPA and the UK GDPR; the operation of the services as well as our customers’ use of Miro in accordance with the Terms of Service complies in all respects with these laws. In order to provide the services to our customers, and in compliance with these data privacy regulations, we regularly transfer personal data to our global offices (including US-based locations) and to our subprocessors located throughout the world. In the absence of an adequacy decision by the EC, we utilize the Standard Contractual Clauses as the approved data transfer mechanism for such transfers (see Articles 45(3) and 46, GDPR).

Please also see our Terms of Service located at https://miro.com/legal/terms-of-service/, as well as our DPA (https://miro.com/static/legal/Miro-Data-Processing-Addendum.pdf) for further details on our transfers of personal data and compliance with these data privacy laws.

Best,

Kate

View original

This topic has been closed for comments

17 replies

Hi, I would like to second this question. We love using Miro but have concerns about GDPR compliance

Userlevel 7
Badge +5

Hi there,

@Maricq Johan 

Great questions! Here’s the reply from the Legal Team:

We are aware of the July 16 decision from the Court of Justice of the European Union (CJEU), which invalidated the EU-U.S. Privacy Shield. Miro’s existing Data Processing Agreement provides for alternative methods to Privacy Shield to enable cross-border data transfer solutions. Specifically, Section 7.2 of our DPA incorporates the Controller to Processor Standard Contractual Clauses (SCCs), which have been approved by the European Commission and remain valid.   

We believe that these remain valid because the risks identified in the CJEU decision likely do not apply to transfers to Miro, which, to date, has never received any National Security process under the authorities described in the CJEU decision. Although these SCCs are incorporated into our DPA, if you would like to separately execute these Standard Contractual Clauses with us, we would be glad to assist with that. Please contact legal@miro.com to initiate this process. 

We are continuing to monitor guidance from the EU and its Data Protection Authorities on this as well.  As legally required, Miro will continue to comply with its obligations to our customers and their users with respect to data already received under Privacy Shield.

 

:paperclip:  Our DPA is attached. You can sign it and send it to legal@miro.com.

Btw, @Maricq Johan, we checked the privacy@miro.com inbox and couldn’t find a message from your email address :thinking:   

 

@AndSiem, just to clarify - Miro adheres to GDPR standards and is registered within the EU with relevant Data Authorities (taken from the Security at Miro page).

Hello @Marina ,

Many thanks for your reply. The email has been sent by our DPO: Aude Gaudy, not from my email address but I was cc normally. I sent your a mp with her email address. Can you cross check the inbox?

A questionnaire based on information of European Data Protection authorities needs to be completed by Miro to provide evidence that Miro situation is compliant enough to use the SCCs (SCCs alone are not sufficient). Is Miro available to fill in this questionnaire or to provide a compliant guarantee (other than the standard statement hereabove)? You can contact our DPO: privacy@elia.be or reply to the email we sent you?

Regards,

Johan

Userlevel 7
Badge +5

@Maricq Johan,

Thank you for the clarification!

We have found the email now. The Legal team will reply to Aude directly. 

@Marina We have the same legal problem with GDPR and privacy shield and realtimeboard Inc. remains unresponsive:

  1. We need SCCs that are separated from the DPA
  2. The 1st appendix to the SCCs is missing
  3. Technical and organizational measures are not described in in the SCCs
  4. We have not received a signed version of the SCCs
  5. The DPA still references the invalidated Privacy Shield

We have addressed these issues since August 17th but not received sufficient feedback to these (not from support@miro.com, legal@miro.com or privacy@miro.com).

I can provide the e-mail address from which the issues where addressed in a private message

Userlevel 7
Badge +9

@Sebastian Schmidt & @Marina :

I have potinted this out many times here.

In Germany we have big problems as long as there is a Privacy Shield that is not supported by German law.

So as result:

German users of miro are not allowed to put personal information f.e. of custormers or other board participants into a miro board or the participants have to sign that they allowed this.

As long there is no signed document of a participant we can invite no one directly into a miro board when there is personal data on the board of the participant.

No way!

So a big Showstopper for us Germans - As result we have to look for other competitors solutions

So there are 2 or 3 competitors that have this GDPR and not Problems with the Privacy Shield because they got none. Their servers are here in Germany. And in Germany it is not allowed to give participants Data to others …

@Marina : You know how passionate I am for miro but this is a fact wich stops

  • little tiny steps and of course
  • a real big leap into

a German market

- no matter what miros Management is planning for Germany.

As long as miro has this Privacy Shield the German market is only a

  • country road
  • vs a highway

when it comes to collobaration.

You’ve got the best product in the world - please make it happen that we in Germany can use this without legal restrictions because of German / European law!

Michael

@mlanders From my point of view this does not only affact Germany but every single country in the EU since GDPR is a European law and the ECJ invalidated the EU-US Privacy Shield.

Userlevel 7
Badge +9

@Sebastian Schmidt :

That is for a great number of European / German users a bitter farewell to miro or a hard fight with their clients that their signing a document wich allows to give their data away …

@Marina: Do you really want to loose a big number of European users?

What is the smallest step you mironeers can do, so that the European law is fulfilled?

Please if there are any single steps that you at miro can do - Do it - this would really help us and help you to get the highway of the German market of collaboration platforms.

F.e. if you got now 3000 German customers … you’re going faster to get 10000 German new users in a much shorter time … think about it ...

 

Michael

Userlevel 7
Badge +5

Hi @Sebastian Schmidt and @mlanders,

Thank you for reaching out! Some comments and questions from the Legal Team:

In addition to our reliance on the SCCs as our current data transfer mechanism, here is some additional information regarding our cross-border transfer solutions:

1. Miro data is encrypted both within our data centers and during transit to ensure that only authorized users may access data. Miro never transfers data unencrypted. 

2. To date, Miro has not received a National Security Process under the authorities described in the CJEU decision.  Further, you may also request a National Security Process Transparency Report on an annual basis by emailing trust@miro.com.

3. Our internal policies on processing surveillance requests includes challenging any surveillance process that does not include judicial redress.

Again, we are continuing to monitor guidance from the EU and its Data Protection Authorities on and will continue to comply with its obligations to our customers and their users with respect to data, as required by applicable law.

 

You also mentioned that “the DPA still references the invalidated Privacy Shield”, - could you please point to this?

If you have any concerns about GDPR compliance, please share what exactly you mean.

 

In any case, such questions should be sent to the Legal Team directly at legal@miro.com.

@Sebastian Schmidt, I’m sorry you didn’t receive a reply. I will DM you about this to figure it out.

Thank you for your understanding.

@Marina The DPA references the the Miro website (https://miro.com/legal/privacy-policy/) where the EU-U.S. Privacy Shield Framework is still published as part of your privacy policy (under #12).

Userlevel 7
Badge +5

Thanks, @Sebastian Schmidt!

We’ll handle it. 

Hi @Marina, I look forward to hear about a solution. We are ready to use it on our university, as a project tool for the students. But I don’t feel comfortable pushing forward, until I know that it is GDPR compliant. 
Until then we will use Microsoft Whiteboard, which still is unstable in Teams and lack a lot of features. :rolling_eyes:

Maybe you could look into this: http://www.imsglobal.org/activity/trusted-apps-data-privacy-certification

Hello, 
 
We are looking to buy a teams account to start using Miro. We are a UK based company and need to comply with GDPR policy that our data doesn't leave the EU.  Are you able to confirm that its the case for production data and data back-ups? Your website seems to state that data could be transferred over to the US?

Hello Jack!

Indeed, by default your production data will be in the EU. Backups by default are in the US.

However, with our Enterprise plans we offer more Data plans options which can satisfy your requirements by also keeping the backups of your user-generated data in the EU.

For more information on the options available, please reach out to your Miro account team or sales@miro.com

Hope this helps!

Userlevel 7
Badge +9

@Rose Randall:

I’m sure that this handling was something that made sense before the new Privacy Shield thing in March/April 2020 - But at this time - you can believe me I hate this to say:

Miro is acting against German and European law - if you bind this to the Enterprise Accounts -

Since the Privacy Shield here in Europe has fallen: For every European miro user: You have to make sure that no data is going into the US so …

To point this out:
No one of us German / European Users of miro can collaborate with people on a miro board - no one - as long there are going Data in the US - If we do so - we - every single one of us - is acting against European law.

So we have to look for alternatives or work not together on a single board with our clients … so we’ve got a not full working version of miro …. because we cannot collaborate

I normally have a normal tone in my postings but in this case:

I really recommend to give us here an update what you’re gonna do next because I and everyone at miro knows:

You are going to start into the German market by opening Munich and Berlin.

A German market entering makes only sense when you got to handle this in  in accordance with the European law - you are now acting against these laws … 

For us German / European Users we need to have miro on our side but

now we are left all alone with a big big problem

and if you only handle this problem for the Enterprise Users your acting against the laws - that’s a fact.

Please do something and help us … your loyal miro users in Europe

Otherwise we have to move to Kalxxon or Conceptboard although this products cannot offer the same quality / workflow / options miro does.

 

  • --- Update -----

    By reading this you maybe can feel and read a lot of frustration from an enthusastic German user who is using miro since 2019 - but I’m frustrated that I cannot use miro and it’s full potential of it’s collaboration abilities …
    No - I cannot decide to do this: German and European rights are clearer than there where ever before:
    We aren’t allowed to 
  1. save
  2. edit
  3. work
  4. with any personlized data of clients
  5. if this data is going outside of the EU
  6. we have to guarantee that this never happens
  7. because when this happens, we are breaking German and European law
  8. but we cannot
  9. therefore we only can use it without collaboration
  10. because the login-process into a miro board is a process where data gets collected because of the user-IP/Country/Computer/ ...

    Please help us miro! Please do something for your European Customers - We need your help!

 

@Hans Heiselberg

Even the Microsoft Whiteboard sends its Data to its US-Servers - that is the same like miro

If you would make it best: You should search for an European Based Server solution

But as long as there are no personal Data been stored on your board - there is no problem.

 

It all began in 2011 as Andrey Khusid and Oleg Shardin had a vision that every one could collaborate via Internet and they founded Realtimeboard and gave everyone the opportunity to join their vision.

 

In 2019 they changed the label from Realtimeboard into Miro.

Their dream came true for everyone around the world. A small company has grown to a Worldwide Leading Cloud Based Collaboration Company with over 15. Million users.

Everyone was able to collaborate together all around the world. Everyone had this freedom!

In 2020 the European Law has made a huge cut into the collaboration world:
The “Privacy Shield” the ground for a collaboration and a data-flow between international companies where taken away ….

No one in the European world could ever use software / Internet - Cloud Based Services like this was possible before.

Endcustomers like us European users since this date had to fear of lawyers because we cannot work freely anymore.

In 2021 Miro again is making history: They stepping into the German market - Two cities with new miro locations are found (Munich / Berlin) and miro is still growing.

Miro now can change the history for so many waiting European users by placing a physical server onto European ground to go back to their roots again:

To make possible that even German / European users can collaborate freely / without any fear of breaking the law. We are now working with a minimalistic version of miro because no personal data is allowed to go to the US - That is law - not ours - it is European law - we - the users cannot change it - but

You Miro - You’ve got the future of all European users in your hand:

You can make it happen that we can freely use miro again without restrictions - place a physical server onto European ground so we can use a full version of miro

Please change again history and let your vision of a growing market and free collaborating people all over the world not stop at European boarders - 



We the German/European users got one big problem: We cannot use miro in full without getting in trouble with German or European law ... 

To say it clear: I’m an enthusiastic miro user and I have found my way for using it but I cannot use it fully like every other user outsite of the EU can use it because I do not want to get in trouble with the law!
 

Best Regards
Michael Landers

 

 

Hello!

I am Kate, Miro legal counsel. Regarding Privacy and GDPR:

Miro fully complies with the EU GDPR, CCPA and the UK GDPR; the operation of the services as well as our customers’ use of Miro in accordance with the Terms of Service complies in all respects with these laws. In order to provide the services to our customers, and in compliance with these data privacy regulations, we regularly transfer personal data to our global offices (including US-based locations) and to our subprocessors located throughout the world. In the absence of an adequacy decision by the EC, we utilize the Standard Contractual Clauses as the approved data transfer mechanism for such transfers (see Articles 45(3) and 46, GDPR).

Please also see our Terms of Service located at https://miro.com/legal/terms-of-service/, as well as our DPA (https://miro.com/static/legal/Miro-Data-Processing-Addendum.pdf) for further details on our transfers of personal data and compliance with these data privacy laws.

Best,

Kate