Understand how Adobe Connect is ready for GDPR regulation and access how-to instructions for access and delete requests.
The European Union's General Data Protection Regulation (GDPR), which applies starting May 25, 2018, provides that Adobe, in its role as your data processor, must take appropriate measures to assist its customers in fulfilling access, delete, and other requests from individuals. As your data processor, providing you mechanisms to assist you with responding to Data Subject access and deletion requests and with managing user data is an important part of helping you comply with your obligations.
Adobe has a long-standing practice of incorporating privacy practices in the design and development of its products also known as Privacy by Design. Adobe is focused on protecting the data entrusted to it. The solution has controls in place for a strong foundation for GDPR readiness for our customers. Adobe considers GDPR readiness a shared journey with our customers and partners.
The following terms help users understand GDPR terminology related to Adobe Connect.
The following terms help users understand the solution terms related to Adobe Connect’s GDPR mechanisms.
For a detailed list of user roles in Adobe Connect, see Set permissions for library files and folders.
When Adobe provides software and services to an enterprise, Adobe acts as a data processor for any Personal Data it processes and stores as part of providing these services. The organizations and institutions that use Adobe Connect are the Data Controllers. As a technology provider, Adobe Connect with help the Data Controllers accomplish their GDPR journey by providing mechanisms and documentation, required to access user information and to delete user data. Adobe Connect will provide detailed how-to instructions on how Data Controllers can use these mechanisms to serve GDPR-related user requests.
Adobe has also identified a gap in the way we treat user data deletion. In line with Adobe’s GDPR guidelines, Adobe Connect will completely de-attach any user data to honor a deletion request, so that it cannot be traced back to the user. The changes will require product updates which will be made available as part of Adobe Connect 9.8 release.
The mechanisms and the API to fulfill Data Subject's access and deletion requests are supported only in Adobe Connect version 9.8 or later.
For its hosted and managed services, Adobe is the data processor and organizations are the Data Controllers. For hosted customer accounts on Adobe servers, Adobe Connect provides account-level administration rights to the organizations to access or delete information about their customers or users. The Session owners and the Account Administrators of the organizations are responsible for honoring the GDPR requests.
Adobe provides mechanisms and related documentation to allow an enterprise (Data Controller) to access and delete user information in accordance with the GDPR requirements. Adobe Connect will service the requests from Data Controllers, not from Data Subjects with respect to that Data Subject's use of Adobe Connect with that Data Controller.
In its role as a solution provider, Adobe Connect will provide appropriate mechanisms for its licensed customers to be GDPR ready. The organizations that are licensed customers, are Data Controllers who own the user data and are responsible for compliance. These organizations will provide mechanisms and relevant privacy notices to the individuals who engage with the organizations. The notices must describe how a user’s information is collected and used and if any consents are required. If the individuals want to know or delete their stored information, the organizations must respond to such requests.
Adobe will improve the existing mechanisms and documentation required for GDPR readiness. For GDPR-related queries, licensed customers must go through this document and the associated links. If such customers still have queries, they can reach out to Adobe Connect Support.
Adobe Connect obtains certain consent from the users at the time of registration for the Adobe Connect services generally and informs the users that the information collected while using the solution is subject to the Host's privacy practices. The notices for data collection and data retention policy helps address privacy concerns and transparency requirements, while continuing to provide a good user experience.
The mechanisms and API to fulfill Data Subject's access and deletion requests are supported only in Adobe Connect version 9.8 or later. To be GDPR ready, upgrade to Adobe Connect version 9.8 when it becomes available. The date for v9.8 availability is published in the v9.8 release notes linked from www.adobe.com/go/learn_cnn_relnotes_en.
The registered users use Adobe Connect for various types of virtual sessions such as meetings, webinars, trainings, recordings, and in various roles such as administrators, session owners, and participants. When a user accesses Adobe Connect, Adobe Connect uses a minimum set of Personal Data to uniquely identify registered users within a user profile. For example, a unique identifier for a user can be email.
From joining as a new user, to conducting session as hosts, and to administering an account, the registered users provide an assortment of information to Adobe Connect. Some of this user-provided information can be sensitive and Adobe Connect provides mechanisms to the registered users to control this information.
In Adobe Connect, an Account Administrator can modify the custom fields to gather extra personal information from a new user. As this information is not required by the system for user identification, Adobe Connect stores it without context and cannot relate it to any specific user or trace it back to a user. Such custom information is configured by, is accessible by, and is manageable by the respective account administrators.
Adobe Connect does not process information available under a session to relate it to individual and cannot trace this information for any individual. The respective session owners capture such information, can access it, and can manage it.
Session-specific information is maintained in the reports. The reports can be downloaded to local file system by the respective owners or administrators.
The solution does not control how these reports are used. The reports are accessible and manageable by the individual session owners and account administrators.
Periodic security audits are done to ensure that the sensitive strings, for example, session cookies, are not written to log files or are scrubbed when written.
User IP addresses are used to identify and safeguard against DOS attack attempts. The IP address or cookies are not used for any segmentation, offer management, to identify user, or to reach a user.
These user scenarios describe the privacy queries, the associated user experiences, and the workflows required to understand and address the queries. This section also describes how various roles can honor and act upon the privacy queries.
Account Administrator can access the data maintained for all users, all user-uploaded content, and the account level reports. Users can access and manage their own profile information, the content they own, the content created or used in the sessions they own, and the interactions that happened in their sessions. A user does not have access to their interactions in another user’s session.
Adobe Connect Central is the web-based interface for account management, user management, content management, and session management. The various system roles define the access rights. Web Services XML APIs allow for programmatic access and delete operations based on user privileges and filters. The information is returned securely in XML format for the user to act upon. The access rights and roles are applied to API operations as well.
Some data, that is critical for system health and usage reporting, is de-personalized by delinking from user’s unique identifiers in the system or by replacing the original information with another placeholder identifier that cannot be linked back to the user.
The data maintained by Adobe Connect is accessed using the Adobe Connect Central web interface and using the Web Services.
The information that can be accessed via the interface depends on the user’s access rights (ACLs) and permissions in the system. Administrators and Limited Administrators can access various data of all the users. To know the differences in the two administrator roles, see Built‑in permission groups and roles. Any other users are non-administrator users who can access their own personal information like user details, content uploaded, sessions created, sessions recorded, and so on.
The reporting modules enable enterprise users to obtain a wide variety of usage data about their Adobe Connect installation. The access is controlled by ACLs. Enterprise users with the appropriate access can view the usage reports using the interface or export the reports in CSV format. To know more about accessing reports, see Generate usage reports in Adobe Connect Central.
Web Services can be called by clients to exchange data with Adobe Connect accounts. The server returns information in XML format. The information accessed and modified depends on the requesting user’s access rights (ACLs). The API suite includes APIs targeted at users, at sessions, at reporting, and at administering.
Using the APIs, users can integrate external web applications with Adobe Connect, and automate tasks, such as those related with access and deletion of data maintained. For more information on Web Services APIs, see Introduction to Web Services and Get started with Web Services.
The data maintained can be deleted using the Adobe Connect Central web interface and using the Web Services APIs.
The registered users can upload content to Adobe Connect. Using the web interface or certain APIs, the registered users can also delete their own content. The registered users can delete the session data on which they have manage permissions.
Administrators with a certain role can delete registered users and principals using the principals-delete API. When an administrator deletes a registered user account from Adobe Connect web interface, the same API is called with the same behavior.
Adobe Connect cannot delete certain user data and must retain it to maintain certain necessary system reporting. In such cases, Adobe Connect will irretrievably de-identify or pseudonymize the Personal Data so that it cannot be traced back to a user. Also, Adobe Connect cannot determine if the data in the generic containers is Personal Data or not and cannot trace it back to the individual users.
The instructions to access and manage the data maintained by Adobe Connect are available as part of the official documentation.
Adobe will update its data retention policies, log retention policies, terms of usage, privacy statements, and other similar policies. Adobe Connect users when accepting the usage terms will have a better clarity about their personal information used in Adobe Connect.