Backblaze Policies

Backblaze Privacy Notice for European Economic Area visitors/customers

Last updated: October 5, 2020


UPDATE:
On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as invalid the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Economic Area (EEA) to the United States. That decision does not relieve participants in the EU-U.S. Privacy Shield of their obligations under the EU-U.S. Privacy Shield Framework.

On September 8, 2020 the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland issued an opinion concluding that the Swiss-U.S. Privacy Shield Framework does not provide an adequate level of protection for data transfers from Switzerland to the United States pursuant to Switzerland’s Federal Act on Data Protection (FADP). As a result of that opinion, organizations wishing to rely on the Swiss-U.S. Privacy Shield to transfer personal data from Switzerland to the United States should seek guidance from the FDPIC or legal counsel. That opinion does not relieve participants in the Swiss-U.S. Privacy Shield of their obligations under the Swiss-U.S. Privacy Shield Framework.

In light of the recent ruling issued by the Court of Justice of the European Union on the invalidation of the EU-U.S. Privacy Shield, and the recent opinion provided by the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland on the inadequacy of the Swiss-U.S. Privacy Shield Framework, we are no longer relying on these frameworks when transferring personal information from the EEA and Switzerland to the United States. We continue to comply with applicable EU data transfer requirements, including adherence to no less than the principles of the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. We are closely monitoring development of international data-transfer mechanisms under the GDPR and will update our policies accordingly.

This Privacy Notice is for European Economic Area (EEA) visitors and customers. It supplements the information in our general Privacy Notice, in which we describe how we collect and use your personal data, what we do with the collected data, with whom we share the data, how long we store it and how you can exercise your privacy rights. In this supplemental notice, we provide additional information which is required under European data protection law.

Please also review our Terms of Service and Data Processing Addendum which describe what we can expect from each other when you use our products and services.


Who we are

Backblaze Caret Down Icon
Backblaze, Inc. (“Backblaze”) is a US-headquartered data storage provider that offers two different services:
  • Computer Backup, which provides unlimited cloud backup for individuals and organizations using Macs or PCs (laptops and desktops); and
  • B2 Cloud Storage, which provides low-cost cloud storage for individuals and organizations.

Under EU data protection legislation, Backblaze is the controller of processing of personal information described below.

With regard to the processing of files uploaded to our platform by our users when using our Computer Backup and B2 Cloud Storage services, however, Backblaze is the processor and the person or organization contracting with Backblaze is the controller. We explain more about the distinction between a controller and a processor under EU data protection law here. To learn more about our processing of data as a processor on behalf of a controller, see our Data Processing Addendum.


Legal basis for processing your personal information

Backblaze Caret Down Icon
Under the European data protection rules, we are required to inform you on which legal basis we do the processing of personal data. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. We will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate business interests. In some cases, we may also have a legal obligation to collect personal information from you.

If we ask you to provide personal information to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate business interests, we will make clear to you at the relevant time what those legitimate business interests are.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the 'How to contact us' heading below.


International data transfers

Backblaze Caret Down Icon
Your personal and non-personal information will be transferred to Backblaze for storage and processing in the U.S.

EU-U.S. and Swiss-U.S. Privacy Shield

When transferring any personal information from the EEA and Switzerland to the U.S., we adhere to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as set forth by the U.S. Department of Commerce. Backblaze has certified adherence to and commits to apply the Privacy Shield Principles to all personal information it processes in reliance on the Shield.

For the purposes of enforcing compliance with the Privacy Shield, we are subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.

For more information about the Privacy Shield, and to view our certification, see the U.S. Department of Commerce’s Privacy Shield website located at: https://www.privacyshield.gov.

If we have received your personal information in the U.S. and subsequently transfer it to a third-party agent or service provider for processing, and such third-party agent or service provider processes your personal information in a manner inconsistent with the Privacy Shield Principles, we remain responsible under the Privacy Shield unless we can prove we are not responsible for the event giving rise to the damage.

You can direct any questions or complaints about the use or disclosure of your personal information to us at [email protected]. We will investigate and resolve any complaints or disputes regarding the use of personal information within forty-five (45) days of receiving your complaint.

We have further committed to using the American Arbitration Association (AAA) to provide an independent recourse method. AAA will handle any complaints Backblaze is unable to resolve.

You may have the option to select binding arbitration for the resolution of your complaint under certain circumstances. To find out more about the Privacy Shield's binding arbitration scheme please see https://www.privacyshield.gov/article?id=ANNEX-I-introduction.

For information on how to request access, rectification or deletion of your personal information if it is inaccurate or processed in violation of the Privacy Shield, see the "Your data protection and privacy rights & choices" section which follows


Your data protection and privacy rights & choices

Backblaze Caret Down Icon
If you live in one of the countries of the European Economic Area (EEA), or if you use our service from one of these countries, you have the following rights, which you can exercise at any time as described or by contacting us here:
  • If you wish to access your personal information that Backblaze collects. We explain how you can access part of your data through your account here.
  • You can correct, update or request deletion of your details in your Account by logging in to your Account or contacting us.
  • You can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information where applicable and technically possible. You can find more information on objecting to, or restricting certain processing here. You can find more information on requesting portability here.
  • If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
  • You have the right to opt-out of marketing communications we send you at any time. You can exercise this right here or by using the unsubscribe link provided in each email. It may take up to 3 business days to remove you from our marketing lists. Please note that even after you opt out, you will still receive Service Emails from us. You can learn more about our Email communications here.
  • You have the right to complain to a data protection authority about our collection and use of your personal information. Contact details for data protection authorities in the EEA, Switzerland and certain non-European countries (including the U.S. and Canada) are available here.


How to contact us

Backblaze Caret Down Icon
If you have any questions or concerns regarding the collection, use or disclosure of your personal information, you can contact us by sending an email to [email protected] or by contacting us at:

500 Ben Franklin Ct,
San Mateo, CA 94401, U.S.
+1 650-352-3738



Previous Version(s):