Data Privacy Positioning Statement
Purpose of this document
This document provides information about how Equinix, as a global organization, manages compliance with its data privacy law obligations in the context of Equinix Metal.
This document is provided for informational purposes only and does not constitute legal advice.
For products and services not covered by this positioning statement, please visit Trust & Transparency page.
Equinix as a processor of personal data
In the provision of Equinix Metal, Equinix has a limited role as a processor of customer personal data (as the term ‘processor’ is defined by Article 4(8) of the General Data Protection Regulation (GDPR)). Equinix does not have logical access to any data (including any potential personal data) uploaded by customers to Equinix Metal. However, Equinix performs defined automated operations as part of the life-cycling of Equinix Metal; Equinix Metal uses industry standard hard disk erasure routines when a device is deprovisioned as a limited operation on data consistent with the definition of a processor.
Equinix as a controller of personal data
Separate from its limited processing of personal data as a processor for Equinix Metal, Equinix processes certain personal data as a controller. Specifically, Equinix processes:
names and business contact information (BCI) of customer representatives for the purpose of managing the customer relationship (e.g. email correspondence, billing, etc.); and
names and BCI, as well as individual biometric data, for the purpose of allowing secure access of customer representatives to its data centers.
Equinix complies with its obligations under applicable data privacy laws in relation to these processing activities, which are covered by Equinix’s Privacy Statement and privacy policies.
Equinix’s Data Processing Agreement (DPA)
With respect to its role as a processor for Equinix Metal, Equinix uses a Data Processing Agreement (DPA). The Equinix Metal DPA can form part of the Digital Service Agreement entered into between Customer and Equinix for the provision of Equinix Metal. A copy of the DPA can be viewed on Trust & Transparency page.
Equinix’s use of sub-processors
In common with most suppliers, Equinix uses certain trusted third parties to help it provide Equinix Metal. These third parties may similarly carry out limited processing of customer personal data as ‘sub-processors’.
Customer assistance with data privacy obligations
As controllers, customers may be required to comply with certain data privacy obligations in relation to personal data processed through Equinix Metal. For example, providing access to, amending, or deleting personal data (whether in response to a data subject request or for other reasons).
Taking into account the nature of the processing performed by Equinix Metal, and in particular its lack of logical access to customer personal data, the assistance which Equinix can provide is necessarily limited. In nearly all cases, the customer is best placed to perform any required actions, using the functionality and tools built into Equinix Metal, such as removing all of the customer data on the Equinix Metal server.
Restricted international transfers between Customer and Equinix
In the limited manner where Equinix may be a data processor in the deprovisioning of an Equinix Metal server, there shall not be any form of international transfer of any customer personal data deleted.
To the extent that there is a restricted international transfer of personal data between the customer and Equinix, the DPA incorporates the 2021 EU Commission Standard Contractual Clauses, as well as the UK Addendum to the Standard Contractual Clauses, which provide for appropriate safeguards under Article 46 GDPR.
Restricted international transfers between Equinix and third parties
Equinix may use sub-processors to help it deliver Equinix Metal. Where such sub-processors are used, these sub-processors may also process data outside of the European Economic Area, the United Kingdom or Switzerland.
In these circumstances, Equinix will enter into appropriate safeguards with sub-processors, such as Standard Contractual Clauses, as required by the applicable privacy laws. With respect to transfers of personal data between Equinix entities where Equinix acts as controller, Equinix has adopted Binding Corporate Rules (BCRs) which have been approved by supervisory authorities in both the Netherlands and the UK and enters into Standard Contractual Clauses if the transfer is not covered by BCRs.