In accordance with guidance from the EDPB, MaxMind has enhanced and updated its data transfer program to review, assess and verify its data transfer needs and obligations, including:
- To map its data inventory and transfer of personal data governed by the GDPR;
- To verify its transfer tool, including transfers to the US where MaxMind customer data may be processed;
- To assess the laws, regulations and practices in the US and elsewhere where personal data is processed.
MaxMind has conducted transfer impact assessments for its products related to the use of personal data governed by GDPR. Based on its assessments, MaxMind determined that for its particular circumstances and data processing needs for customers, the legislation deemed problematic is not relevant to MaxMind.
This is based on a totality of factors, including the lack of a history of problematic law enforcement requests at MaxMind; lack of externally available information that contradicts MaxMind’s experience and MaxMind’s policy and technical privacy-by-design measures that provide very stringent controls against third party law enforcement or cloud provider access.
Thus, MaxMind’s data transfer impact assessment demonstrates an equivalent set of protections without a level of risk that would require additional supplementary measures to accompany the SCC tool. MaxMind has no reason to believe that the problematic legislation will be interpreted or applied in practice to the personal data processed by MaxMind on behalf of its customers.
In addition to our assessment that problematic legislation is not, in practice, relevant to MaxMind customer data, we continue to provide strong protective security measures as part of our GDPR program, including:
- Scrutiny of law enforcement requests to establish legality and appropriate limitations in scope, in accordance with a formal, written MaxMind Policy on public authority and law enforcement requests.
- Data minimization efforts designed to result in timely deletion of data and pseudonymization of records.
- Multi-factor authentication (MFA) requirements for internal MaxMind resources, for external MaxMind resources where supported, and MFA support for MaxMind customer portal accounts.
- Holistic accountability procedures, including enhancing the transparency of the customer portal account activity displayed in each customer portal account.
- Continually reviewing and enhancing custom monitoring and alerting around services and internal network, including third party access on customer accounts.
- A robust data protection awareness program and overall work culture with a heavy emphasis on privacy.
- Strong technical, process and contractual based controls, including authentication controls to prevent access without explicit authorization as one of the primary pillars of our networks' zero trust architecture.
- Transmission of data is encrypted from end to end.
This page was last updated on .