Metallic and GDPR Compliance

The General Data Protection Regulation (GDPR) is widely considered to be one of the most stringent privacy and security laws in the world.  The regulation was written and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target, collect or in any way process data related to individuals from the EU. The data protection framework introduced by GDPR laid out extensive rules on how to process data and defined obligations of those who process data. The regulation became applicable on May 25, 2018.

Metallic is committed to supporting our customers’ compliance with GDPR

  • Metallic prioritizes the privacy and security of the data we protect with our entire product suite: Metallic™ Backup for Microsoft 365, Metallic™ Endpoint Backup & Recovery, Metallic™ VM & Kubernetes Backup, Metallic™ File & Object Backup, and Metallic™ Database Backup.
  • When Metallic provides services to our EU customers as a data processor on their behalf, we will ensure that we comply with the specific requirements for data processors.
  • When we appoint third parties to act as sub-processors, we’ll also ensure that we have appropriate terms in place to comply with the GDPR and safeguard customers’ data.
  • Metallic is committed to making our products and services better every day, so our partners and customers can continue to use our services, with confidence, in a manner that supports their compliance efforts.
  • One of the aims of GDPR was to minimize the fragmentation of data privacy laws throughout EU. However, EU Member States in certain cases are still able to introduce national legislation to further specify the application of GDPR rules. In addition, GDPR is subject to interpretation by Data Protection Authorities and courts (e.g. by means of guidelines, decisions). We are closely monitoring all relevant developments around GDPR in order to provide solutions that enable our customers to stay on top of the ever-changing data protection compliance landscape.

GDPR requirements

GDPR differentiates between requirements imposed on Data Controllers and Data Processors. It is
important to understand the shared responsibility model introduced by GDPR and obligations imposed
on parties involved in the data processing. View GDPR requirements related to usage of the Metallic Offering.

Requesting the data processing agreement

In accordance with GDPR, our relation with customers (data controllers) is governed by the Data Protection Addendum (DPA). View Commvault and Metallic’s Data Processing Addendum.


Contact our data protection officer

If you have questions about Metallic data processing practices, the Privacy Policy, or GDPR, feel free to reach out to our Global Data Governance Officer at GDGO@commvault.com.