Last updated: November 13, 2024
Backblaze, Inc. (“Backblaze”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Backblaze has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Backblaze has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
This Privacy Notice is for residents of the European Economic Area (EEA), the European Union (EU), the United Kingdom (UK) and Switzerland. It supplements the information in our general Privacy Notice, in which we describe how we collect and use your personal data, what we do with the collected data, with whom we share the data, how long we store it, and how you can exercise your privacy rights. In this supplemental notice, we provide additional information that is required under European, UK, and Swiss data protection laws.
Please also review our Terms of Service and Data Processing Addendum, which describes what we can expect from each other when you use our products and services.
Backblaze is a US-headquartered data storage provider that offers two different services: Computer Backup, which provides unlimited cloud backup for individuals and organizations using Macs or PCs (laptops and desktops), and B2 Cloud Storage, which provides low-cost cloud storage for individuals and organizations. Under EU data protection legislation, Backblaze is the controller of the processing of personal information described below.
With regard to the processing of files uploaded to our platform by our users when using our Computer Backup and B2 Cloud Storage services, however, Backblaze is the processor. The person or organization contracting with Backblaze is the controller. To learn more about our processing of data as a processor on behalf of a controller, see the following documents: DPA for EEA/EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
Under the data protection rules, we are required to inform you on which legal basis we process personal data. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. We will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate business interests. In some cases, we may also have a legal obligation to collect personal information from you. If we ask you to provide personal information to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate business interests, we will make clear to you at the relevant time what those legitimate business interests are. If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the How to Contact Us heading below.
We may transfer your personal information to third parties that act as our agents or service providers for the purposes described in our Privacy Policy. When we do so, we will only transfer your personal information for limited and specified purposes and in compliance with the DPF Principles on Accountability for Onward Transfers. We will also ensure that any third parties that receive your personal information from us under the DPF Principles are obligated to provide at least the same level of privacy protection as is required by the DPF Principles and will notify us if they can no longer meet this obligation.
We remain responsible for processing your personal information that we receive under the DPF Principles and subsequently transferring it to a third party acting as an agent on our behalf. We are liable for any violations of the DPF Principles by the third-party agent unless we can prove that we are not responsible for the event giving rise to the damage.”
Backblaze shall only disclose the personal data to a third-party on documented instructions from the Customer/Visitor. In addition, the data may only be disclosed to a third-party located outside the European Union (in the same country as Backblaze or in another third country, hereinafter “onward transfer”) if the third-party is or agrees to be bound by the Standard Contract Clauses, set out in our DPA for EEA/ EU /UK Residents or if:
(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third-party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU)2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by Backblaze with all the other safeguards under this Privacy Notice, in particular with the principle of purpose limitation.
(a) Backblaze may disclose personal data received by residents of the EEA/EU, UK, or Switzerland to third-parties in adherence with the Customer/Visitor’s documented instructions and under the following conditions:
(i) Service Providers: Backblaze may share your personal data with our service providers that perform services on our behalf, such as data analysis, customer service, marketing assistance, information technology support, and related services.
(ii) Affiliates and Partners: Backblaze may share your personal data with our affiliates and partners where it is necessary for providing our services, conducting our operations, or enhancing the user experience.
(iii) Legal and Regulatory Authorities: Backblaze may share your personal data with legal, governmental, or regulatory authorities when required by law or legal process or to establish, protect, or exercise our legal rights or defend against legal claims.
(b) In the case of an onward transfer, the Backblaze ensures that:
(i) the third-party is bound or agrees to be bound by the Standard Contract Clauses under the appropriate Module set out in the following documents: DPA for EEA/EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
(ii) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679;
(iii) the third-party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU)2016/679;
(iv) the onward transfer is necessary for the establishment, exercise, or defense of legal claims; or
(v) the onward transfer is necessary to protect the vital interests of the data subject or another natural person.
(c) All disclosures and onward transfers are subject to compliance with all the other safeguards set out in the following documents: DPA for EEA/ EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
If you live in one of the countries governed by GDPR, UK GDPR, or Swiss Data Protection Law, or if you use our services from one of these countries, you have the rights explained below, which you can exercise at any time as described. You can also exercise these rights by submitting a data subject request here or by contacting us at privacyrequest@backblaze.com.
You can correct, update, or request deletion of your details in your Account by logging in to your Account or contacting us.
You can object to the processing of your personal information, ask us to restrict the processing of your personal information, or request portability of your personal information where applicable and technically possible. You can find more information on objecting to or restricting certain processing here. You can find more information on requesting portability here.
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to opt out of having your personal information (i) disclosed to third parties or (ii) used for purposes materially different from those for which it was originally collected or subsequently authorized by you. You can find more information on exercising this right here.
For any personal information considered sensitive, such as information relating to medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation, we will seek your affirmative express consent (opt-in) before (i) disclosing this information to third parties or (ii) using it for purposes beyond those originally collected or subsequently authorized by you. If we receive sensitive information from a third party that treats it as such, we will handle it with the same level of protection.
If we share your personal information with third parties acting as agents on our behalf to perform tasks under our instructions, we will enter into a contract with those agents. While no opt-out is required for this type of disclosure, we will ensure they provide the same level of protection to your personal information as required under applicable law.
You have the right to opt-out of marketing communications we send you at any time. You can exercise this right here or by using the unsubscribe link provided in each email. It may take up to three business days to remove you from our marketing lists. Please note that even after you opt-out, you will still receive Service Emails from us. You can learn more about our Email communications here.
You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA here, in the UK here, and in Switzerland here.
(a) Backblaze agrees to notify the Customer/Visitor and, where possible, the data subject promptly (if necessary, with the help of Backblaze) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to Backblaze.
(b) If Backblaze is prohibited from notifying the Customer/Visitor and/or the data subject under the laws of the country of destination, Backblaze agrees to use its best efforts to obtain a waiver of the prohibition, communicating as much information available, as soon as possible. Backblaze agrees to document this available information to its best efforts in order to be able to provide the information on request of the Customer/Visitor.
(c) Where permissible under the laws of the country of destination, Backblaze agrees to provide the Customer/Visitor, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether such requests have been challenged and the outcome of such challenges, etc.).
(d) Backblaze agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and to make the information available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of Backblaze pursuant to Clause 14(e) and Clause 16 to inform the Customer/Visitor promptly where Backblaze is unable to comply with these Clauses.
(a) Backblaze agrees to review the legality of the request for disclosure, in particular, whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Backblaze shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Backblaze shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e) of the EU SCC.
(b) Backblaze agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the Customer/Visitor. It shall also make it available to the competent supervisory authority on request.
(c) Backblaze agrees to provide the minimum amount of information permissible when responding to a request for disclosure based on a reasonable interpretation of the request.
Backblaze is subject to the investigatory and enforcement powers of the FTC, which is the federal agency responsible for protecting consumers and maintaining competition. We may be required to disclose personal information that we handle under the Data Privacy Framework in response to lawful requests by public authorities for reasons including meeting national security or law enforcement requirements.
In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Backblaze commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-UK-U.S. DPF and the Swiss-U.S. DPF should first contact Backblaze at privacyrequest@backblaze.com.
In compliance with the , EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Backblaze commits to resolve complaints about our collection or use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our Data Privacy Framework policy should first contact Backblaze at the contact information provided under the How to Contact Us section, above.
In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Backblaze commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to ICDR-AAA, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of ICDR-AAA are provided at no cost to you.
For residual complaints not fully or partially resolved by other means, you may invoke binding arbitration to address complaints about Backblaze’s compliance with the DPF Principles as detailed in the Principles available here.
Previous Version(s):