The EU General Data Protection Regulation (GDPR) applies to a ‘company’ whenever the personal information of people within the European Union is present in a company’s data and IT systems. Consequently, GDPR has had a transformative effect on the way companies manage and secure personal data.
Avira and its technology partners exchange information with the purpose of providing a cyber security service. If the data transferred contains the personal information of people within the European Union, both companies have the responsibility to ensure GDPR compliance.
It is important that the business relationship between Avira and a technology partner is structured to meet GDPR. Here, we provide some general guidance describing how this can be achieved. We will address Data Handling, Data Processing, and partner Licensing Agreements
Data Privacy at Avira
At Avira, we understand the importance of our customers’ data. ‘Protecting people in the digital world’ is at the heart of our business. We are committed to our customers’ and partners’ success, and this includes compliance with GDPR.
Avira has taken a comprehensive approach to our GDPR compliance activities. Our services are designed to protect proprietary content and data.
Avira licenses a number of services and solutions to our technology partners that will result in the transfer of data. However, some of these services may result in the transfer of personal information.
Avira’s anti-malware services do not transfer any personal data (pD) to a technology partner. These include all APIs, SDKs, threat feeds, scan engine updates, database updates and virtual appliance image updates.
However, the following services and solutions may result in files containing personal data to be transferred from a technology partner to Avira’s cloud security services (e.g. The Avira Protection Cloud):
- Anti-malware SDKs
- ICAP Security Proxy
- Application Programming Interfaces (APIs)
Each of these services enable the technology partner to specify the type of data transferred to Avira’s cloud security services. These types of data are:
- Executables: Consisting of PE windows executables, Macho, and ELF files, they should not contain PII, but might.
- Documents: Consisting of Office documents, PDFs, etc., which may contain personal data.
- File Hashes: File hashes used by Avira never contain personal data.
Avira and its technology partners must observe the appropriate data handling procedures are GDPR compliant when files containing Executables or Documents are uploaded to an Avira cloud security service.
File Hashes are, by their nature, anonymized, cannot contain personal data and are therefore exempt from GDPR.
Executable or Document files are transferred to Avira’s cloud security service for analysis. The purpose of the transfer is to provision a cyber security service to protect users from malware and cyber-threats.
The upload enables the file (or URL) to be evaluated for any threat or malware that may be present. The data within the file is ‘processed’ for the purposes of malware analysis. Any personal data contained within the file is not ‘processed’ in terms of GDPR Article 4, Part 4 . In most cases, the technology partner also does not ‘process’ the personal data.
For these reasons, the relationship between Avira and a technology partner is normally that of Joint Data Controllers . As Joint Data Controllers, Avira and the technology partner determine the purposes and means of processing the personal data. In this case the purpose is ‘cyber security’ and the means of processing are the malware analysis engines applied within the Avira Protection Cloud
Under GDPR, Controllers have the responsibility for compliance. For all processes in which personal data is processed, Controllers must have a purpose and a legal basis for collecting and storing personal data: The legal basis for storing personal data is the legitimate interest of Avira to provide cyber-security services to its technology partners.
Once uploaded for evaluation, Avira will normally retain a Document or Executable file for an indefinite period. This has very significant benefits for cyber security: it allows the file to be re-assessed later, it improves the quality of malware detection, and helps safeguard both the wider online community.
Occasionally, Avira is asked to delete Document files within a specific period of time after evaluation because they may contain personal data. Avira maintains Executables indefinitely because they should not contain personal data.
We recommend that our OEM / technology partners ensure that their licensing agreements / end user license agreements explicitly state that they will share data with Avira for the purpose of proving a cyber and information security service.
 GDPR refers to ‘natural or legal person, public authority, agency or other body’. For the purposes of this article, we will refer to ‘company’ as it aligns best with the intended readership.