GDPR FAQ | Legal | Mixpanel

Mixpanel GDPR FAQ

What is the GDPR?

The General Data Protection Regulation (“GDPR”) is a new comprehensive data protection law in the European Union (“EU”) that updates existing laws to strengthen the protection of personal data in light of rapid technological developments, increased globalization, and more complex international flows of personal data. It replaces the patchwork of national data protection laws currently in place with a single set of rules, directly enforceable in each EU member state. The GDPR goes into effect on May 25, 2018.

How does GDPR impact Mixpanel and its customers?

The GDPR regulates the “processing” of personal data of any EU resident (who is referred to as a “data subject”). “Processing” includes the collection, storage, transfer, or use, of personal data. This means that any company that processes the personal data of any data subject, regardless of where the company is based, is subject to the rules of the GDPR. Additionally, the GDPR defines personal data very broadly, and includes name, email, demographic information, real-time location, online activity, and health information, to name a few.

As the leading user analytics platform, Mixpanel receives billions of data points from all over the globe, including data points that are or contain personal data from data subjects. This means that both Mixpanel and our customers sending us data will need to comply with the requirements of the GDPR.

Is Mixpanel collecting data?

As between Mixpanel and our customers, Mixpanel is the “data processor” and the customer is the “data controller”, as such terms are defined under the GDPR. The data controller collects data from our data subjects (i.e., a customer’s end users) and says how and why personal data is processed. The data processor receives the data from the data controller and acts upon instruction from the data controller.

Does GDPR require data to stay in the EU or to be stored in the EU?

No.  Generally speaking, there is no requirement in the GDPR that personal data must stay in the EU as long as there is a legal framework in place to validate the data transfer; the GDPR recognizes several frameworks including the Privacy Shield. Mixpanel has self-certified under the EU-US Privacy Shield Framework and will maintain our certification under the Privacy Shield Framework or any replacement framework that may come into force.

Will Mixpanel be compliant with GDPR?

Yes.  Mixpanel is committed to complying with GDPR, and enabling our customers to comply with GDPR.  Mixpanel has an ongoing commitment to providing leading data protection to our customers. We maintain a robust privacy and security program that we continually assess and improve to meet the needs of our customers, and to maintain industry leadership in data protection among product analytics companies. We have consistently reinforced our commitment to protecting our customers’ data through our actions over the last few years, including:

  • In October 2015, when the European Court of Justice invalidated the EU-U.S. Safe Harbor program, we began entering into data processing addendums with affected customers that allowed them to continue to transfer data to Mixpanel without interruption
  • In November 2016, we were among the first core, user analytics platform to certify compliance with the EU-US Privacy Shield Framework
  • In October 2017, we re-certified our compliance with the EU-US Privacy Shield Framework, and also certified under the Swiss-US Privacy Shield Framework
  • In October 2017, we shared our plan for GDPR compliance with customers to provide transparency into our compliance efforts

Will Mixpanel enter into a Data Processing Agreement (“DPA”) with me?

Yes. We understand the GDPR has robust requirements and obligations for both data collectors and data processors and we are committed to helping our customers use Mixpanel in a compliant manner. We have made our DPA available online so that our customers can be confident that their data is processed in a lawful manner.

Does Mixpanel have publicly available information about its security program?

Mixpanel’s Security White Paper is available for our customers to review. We have also developed a template security questionnaire responding to the most common security questions we receive from our customers.

Where can we find out more?