Last updated: October 6, 2023
This Privacy Notice is for residents of the European Economic Area (EEA), the European Union (EU), the United Kingdom (UK) and Switzerland. It supplements the information in our general Privacy Notice, in which we describe how we collect and use your personal data, what we do with the collected data, with whom we share the data, how long we store it, and how you can exercise your privacy rights. In this supplemental notice, we provide additional information that is required under European, UK, and Swiss data protection laws.
Please also review our Terms of Service and Data Processing Addendum, which describes what we can expect from each other when you use our products and services.
Backblaze is a US-headquartered data storage provider that offers two different services: Computer Backup, which provides unlimited cloud backup for individuals and organizations using Macs orPCs (laptops and desktops), and B2 Cloud Storage, which provides low-cost cloud storage for individuals and organizations. Under EU data protection legislation, Backblaze is the controller of the processing of personal information described below.
With regard to the processing of files uploaded to our platform by our users when using our Computer Backup and B2Cloud Storage services, however, Backblaze is the processor. The person or organization contracting with Backblaze is the controller. To learn more about our processing of data as a processor on behalf of a controller, see the following documents: DPA for EEA/EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
Under the data protection rules, we are required to inform you on which legal basis we process personal data. Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. We will normally collect personal information from you only where we have your consent to do so, where we need the personal information to perform a contract with you, or where the processing is in our legitimate business interests. In some cases, we may also have a legal obligation to collect personal information from you. If we ask you to provide personal information to comply with a legal requirement or to enter into a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information). Similarly, if we collect and use your personal information in reliance on our legitimate business interests, we will make clear to you at the relevant time what those legitimate business interests are. If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided under the 'How to contact us' heading below.
To provide you with the Services, we may store, process, and transmit your personal and non-personal information in the United States. When transferring data from the European Union, the European Economic Area, the United Kingdom, and Switzerland, Backblaze relies upon a variety of legal mechanisms, such as contracts with our customers and affiliates, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S.Data Privacy Framework, the Swiss-U.S. Data Privacy Framework.
Backblaze shall only disclose the personal data to a third-party on documented instructions from the Customer/Visitor. In addition, the data may only be disclosed to a third-party located outside the European Union (in the same country as Backblaze or in another third country, hereinafter “onward transfer”) if the third-party is or agrees to be bound by the Standard Contract Clauses, set out in our DPA forEEA/ EU Residents or if:
(i) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
(ii) the third-party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU)2016/679 with respect to the processing in question;
(iii) the onward transfer is necessary for the establishment, exercise, or defense of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by Backblaze with all the other safeguards under this Privacy Notice, in particular with the principle of purpose limitation.
(a) Backblaze may disclose personal data received by residents of the EEA/EU, UK, or Switzerland to third-parties in adherence with the Customer/Visitor’s documented instructions and under the following conditions:
(i) Service Providers: Backblaze may share your personal data with our service providers that perform services on our behalf, such as data analysis, customer service, marketing assistance, information technology support, and related services.
(ii) Affiliates and Partners: Backblaze may share your personal data with our affiliates and partners where it is necessary for providing our services, conducting our operations, or enhancing the user experience.
(iii) Legal and Regulatory Authorities: Backblaze may share your personal data with legal, governmental, or regulatory authorities when required by law or legal process or to establish, protect, or exercise our legal rights or defend against legal claims.
(b) In the case of an onward transfer, the Backblaze ensures that:
(i) the third-party is bound or agrees to be bound by the Standard Contract Clauses under the appropriate Module set out in the following documents: DPA for EEA/EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
(ii) the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 ofRegulation (EU) 2016/679;
(iii) the third-party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU)2016/679;
(iv) the onward transfer is necessary for the establishment, exercise, or defense of legal claims; or
(v) the onward transfer is necessary to protect the vital interests of the data subject or another natural person.
(c) All disclosures and onward transfers are subject to compliance with all the other safeguards set out in the following documents: DPA for EEA/ EU Residents, DPA for UK Residents, and Swiss Addendum to the EU SCC.
If you live in one of the countries governed by GDPR, UK GDPR, or Swiss Data Protection Law, or if you use our services from one of these countries, you have the rights explained below, which you can exercise at any time as described. You can also exercise these rights by submitting a data subject request here or by contacting us at firstname.lastname@example.org.
You can correct, update, or request deletion of your details in your Account by logging in to your Account or contacting us.
You can object to the processing of your personal information, ask us to restrict the processing of your personal information, or request portability of your personal information where applicable and technically possible. You can find more information on objecting to or restricting certain processing here. You can find more information on requesting portability here.
If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
You have the right to opt-out of marketing communications we send you at any time. You can exercise this right here or by using the unsubscribe link provided in each email. It may take up to three business days to remove you from our marketing lists. Please note that even after you opt-out, you will still receive Service Emails from us. You can learn more about our Email communications here.
You have the right to complain to a data protection authority about our collection and use of your personal information.Contact details for data protection authorities in the EEA here, in the UK here, and in Switzerland here.
(a) Backblaze agrees to notify the Customer/Visitor and, where possible, the data subject promptly (if necessary, with the help of Backblaze) if it:
(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or
(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to theseClauses in accordance with the laws of the country of destination; such notification shall include all information available to Backblaze.
(b) If Backblaze is prohibited from notifying the Customer/Visitor and/or the data subject under the laws of the country of destination, Backblaze agrees to use its best efforts to obtain a waiver of the prohibition, communicating as much information available, as soon as possible. Backblaze agrees to document this available information to its best efforts in order to be able to provide the information on request of theCustomer/Visitor.
(c) Where permissible under the laws of the country of destination, Backblaze agrees to provide theCustomer/Visitor, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether such requests have been challenged and the outcome of such challenges, etc.).
(d) Backblaze agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and to make the information available to the competent supervisory authority on request.
(e) Paragraphs (a) to (c) are without prejudice to the obligation of Backblaze pursuant to Clause 14(e) and Clause 16 to inform the Customer/Visitor promptly where Backblaze is unable to comply with these Clauses.
(a) Backblaze agrees to review the legality of the request for disclosure, in particular, whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. Backblaze shall, under the same conditions, pursue possibilities of appeal. When challenging a request, Backblaze shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e) of the EU SCC.
(b) Backblaze agrees to document its legal assessment and any challenge to the request for disclosure and, to theextent permissible under the laws of the country of destination, make the documentation available to the Customer/Visitor. It shall also make it available to the competent supervisory authority on request.
(c) Backblaze agrees to provide the minimum amount of information permissible when responding to a request fordisclosure based on a reasonable interpretation of the request.
Backblaze is subject to the investigatory and enforcement powers of the FTC, which is the federal agency responsible for protecting consumers and maintaining competition. We may be required to disclose personal information that we handle under the Data PrivacyFramework in response to lawful requests by public authorities for reasons including meeting national security or law enforcement requirements.
In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Backblaze commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF should first contact Backblaze at email@example.com.
In compliance with the EU-U.S. DPF and the Swiss-U.S. DPF, Backblaze commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the Swiss-U.S. DPF to American Arbitration Association, an alternative dispute resolution provider located at 120 Broadway, 21st Floor in New York, NY 10271 in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.adr.org for more information or to file a complaint. The services of the American Arbitration Association are provided at no cost to you.