At Hetzner, we care deeply about the security of your data stored on our servers, as well as the protection of personal data you provide to us to manage your Hetzner account.
We support the new international (GDPR) and local (POPIA) laws regarding data protection which are coming into effect, as they raise the bar for data protection, security and compliance in the industry.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law which becomes enforceable on 25 May 2018. It aims to strengthen the security and protection of personal data in the EU.
The law determines how entities must process, protect and notify users regarding their personal data for anyone living in the European Union. This includes all aspects of collecting, storing, transferring or using that data.
While we only have a small number of EU customers, we take the protection of your personal data very seriously and have positioned ourselves to comply with relevant data protection laws.
What is Personal Data?
“Personal data” as defined by GDPR is broad, and includes:
- Directly personal information e.g. names and contact details, as well as
- Indirect identifiers such as email addresses and IP addresses.
Note: GDPR applies to natural persons and not legal persons, like companies. This differs from POPIA, which applies to both natural and legal persons.
What is Hetzner’s role as defined by data protection law?
Two main roles are identified in the legislation:
- The Controller of Personal Data: the entity which determines how and why the data is processed.
- The Processor of Personal Data: the entity which processes personal data on behalf of the controller. Examples of Processing are storage, recording, organisation or retrieval.
Organisations who belong to either or both of these roles are liable and responsible.
Hetzner is both a Data Processor and a Data Controller.
Controller: We act as a data controller for the customer information we collect from you when you order products and services from us. This personal data includes details such as names and contact information. In South Africa, this person is called a responsible party.
Processor: We act as the data processor and you are the controller of data that is uploaded to your hosting account or server, as we store this data on your behalf. In South Africa, this person is called an operator.
Your website may capture the personal information of your clients e.g. placing orders, email or newsletter subscriptions, processing payment or online bookings. You control this data and how it gets collected and used, and Hetzner processes this data by storing it on our servers.
Does the GDPR apply to Hetzner Resellers, designers and developers?
Yes, if you provide products or services to EU residents.
A Reseller of Hetzner services acts as a processor and Hetzner becomes a sub-processor of information uploaded to your hosting package on Hetzner servers.
If you have EU clients, then you need to comply with the GDPR in the following roles:
- You will be the controller of the personal data that you store in order to contact your customer.
- You will also be a processor of personal data uploaded to your hosting package on our servers.
What personal customer data do we collect and store?
We store personal data that is voluntarily provided by customers when:
- registering with Hetzner
- placing orders for our products and services
- requesting customer support
- signing up for our newsletters.
While we control what information is collected and stored, you are able to amend or remove your personal details online at any time.
Only information that is required to implement our services is stored. Customer personal data is forwarded only to accredited third-parties that we have contracted to offer specialist services, such as domain registrations.
We also may collect other identifying information from our customers, such as IP address, SSH public keys or Oauth tokens for external services.
EU personal data may be stored on our servers when customers use their website or server to collect or store data. We have no knowledge, control or access to this data, but as we store the data, we act as the data processor.
What is the “Right to be forgotten”?
The “right to erasure” or “right to be forgotten” means that you have the right to update or have your personal information deleted when it is no longer needed, such as if you cancel your Hetzner services.
You can update or delete any contact details via your konsoleH control panel. If you no longer have services with us and want to delete your entire Hetzner account, contact firstname.lastname@example.org.
Note that historic invoices, which contain name and contact details, can not be deleted for legal reasons.
What has Hetzner done to become GDPR compliant?
- We have conducted an audit of business processes that deal with personal data of individuals and other subjects, including how we collect, process and store this data securely.
- We have received and implemented qualified legal advice from Michalsons Attorneys, as experts in the field of Privacy and Data Protection.
- We have audited our “Right to be Forgotten” process to ensure that customers leaving Hetzner can have their personal information deleted.
- We have implemented a Privacy by Design and by Default Policy (PbD Policy).
- We have appointed a representative in the EU.
- We have updated our incident response policies and procedures.
Does Hetzner have a Data Processing Agreement (DPA)?
As the controller, the GDPR requires you to conclude agreements with your processors when they process your personal data. Some customers require their processors to sign a Data Processing Agreement (DPA) to fulfill this requirement.
At Hetzner, we have taken the proactive step to update our Hosting Terms in line with our requirements in the GDPR. This means that you don’t need to use a DPA, because these requirements have been included in our Hosting Terms under the ‘Data Protection’ section.
This section describes the steps we take to ensure that we meet our processor obligations when we provide services to you. You can view our Terms of Service.