Data Protection Impact Assessment Guidance

Data Protection Impact Assessments (DPIA) are designed to help data controllers systematically analyze, identify, and minimize the protection risks associated with new technologies or projects. They are an essential part of data controller's accountability obligations under European Union's General Data Protection Regulation (GDPR) and Law Enforcement Directive (LED).

The purpose of this document is to provide data controllers information about Axon Cloud Services to help to determine if a DPIA is needed and if so, what details to include when considering Axon Cloud Services. However, utilization of Axon Cloud Services does not inherently require a DPIA. Data controllers should work with their own legal teams to understand and comply with applicable laws and regulations related to their use of Axon Cloud Services. Axon is not providing any legal advice in this document and it should be used for informational purposes only.

Please contact privacy@axon.com or your Axon representative for additional assistance in completing a DPIA in relation to using Axon Cloud Services.

Identify the need for a DPIA

GDPR Article 35 and LED Article 27 require that a DPIA shall be created 'where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.'

Where applicable, data controllers should determine any additional requirements implemented in applicable law or regulation for the protection of the rights and freedoms of the data subject with regards to the processing of personal data by competent authorities.

GDPR Article 35 (3) specifies that the following processing operations shall in particular require a DPIA:

Processing Operation Considerations Relevant Information about Axon Cloud Services
A systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person

Axon Cloud Services are not specifically designed to perform these types of automated processing of data.

Processing on a large scale of special categories of data referred to in GDPR Article 9(1), or of personal data relating to criminal convictions and offences referred to in GDPR Article 10

Axon Cloud Services provide capabilities to process on a large scale special categories of data relating to criminal convictions and offenses. Data controllers should determine applicability of this consideration based on their usage of Axon Cloud Services.

A systematic monitoring of a publically available area on a large scale

Axon Cloud Services are not specifically designed to perform systematic monitoring of a publicly available area on a large scale. However, customers can use Axon Cloud Services to process data collected through such monitoring. Data controllers should determine applicability of this consideration based on their usage of Axon Cloud Services.

DPIA Elements

A DPIA is used to help data controllers comply with their data protection obligations and meet individual's expectation of privacy. DPIA elements are specified in GDPR Article 35(7) and LED Article 27 (2). Below you can find relevant information about Axon Cloud Services to help with the completion of a DPIA:

GDPR DPIA Element LED DPIA Element Relevant Information About Axon Cloud Services
A systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller

A general description of the envisaged processing operations

The data controller is responsible for implementing, configuring, and using Axon Cloud Services. As such, the data controller shall determine the categories of data processed and the purpose of processing Axon Cloud Services.

The controller can upload, ingest, or create Customer Content* in their instance of Axon Cloud Services for processing. Customer Content can be any data, including text, sound, video, and image files.

As specified in the Axon Cloud Services Privacy Policy, Axon, as a data processor, is processing Customer Content as instructed by the data controller. The data controller determines the processing operation when using Axon Cloud Services.

Information relating to Axon Cloud Services' data retention and transfers and sharing with third parties is available in the Axon Cloud Services Privacy Policy.

An assessment of the necessity and proportionality of the processing operations in relation to the purposes

N/A

The data controller shall determine the necessity and proportionality of the processing operations in relation to the purposes when processing their content through Axon Cloud Services.

With regard to the processing carried out by Axon, such processing is necessary and proportional for the purpose of providing the services to the data controller as detailed in the Axon Cloud Services Privacy Policy.

An assessment of the risks to the rights and freedoms of data subjects referred to in GDPR Article 35 (1)

An assessment of the risks to the rights and freedoms of data subjects

The key risks to the rights and freedoms of data subjects from the use of Axon Cloud Services will be a function of how and in what context the data controller implements, configures, and uses Axon Cloud Services. The risks shall be determined by the data controller.

As with any service, the risks associated with personal data held in a service include risk of unauthorized access or inadvertent disclosure. Axon has taken measure to address such risks as detailed in the Axon Cloud Services Privacy Policy.

The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned

The measures envisaged to address those risks, safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Directive, taking into account the rights and legitimate interests of the data subjects and other persons concerned

Axon Cloud Services has implemented many security mechanisms to protect the confidentiality, integrity, availability, and privacy of Customer Data*. These include data encryption, security monitoring, service resiliency, access control, evidence integrity, and many more.

Axon maintains comprehensive compliance programs to demonstrate our commitment to providing trustworthy products and services. These include ISO/IEC 27001:2013 certification, ISO/IEC 27018:2014 certification, SOC 2+ Reporting, Cloud Security Alliance - CSA Star Attestation (Level Two), Cyber Essentials Certification, and EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

Information about Axon Cloud Services security and compliance is available at Axon Trust page and in the Axon Cloud Services Privacy Policy.

Supplemental Information about Axon Cloud Services
Data Retention

Evidence retention periods are defined by the data controller within their internal retention policies and procedures. The data controller has the ability to establish Evidence retention policies within Axon Cloud Services.

Additional information about Customer Data Retention is available in the Axon Cloud Services Privacy Policy.

Data Location and Transfers

Axon Cloud Services are offered in numerous geographic regions. The data controller determines which regional deployment of Axon Cloud Services it wishes to utilize prior to tenant creation in Evidence.com. The data controller's selection determines where its Content will be stored.

Axon's commitments to data location and transfer are available in the Axon Cloud Services'Privacy Policy.

Compartir información

Axon may transfer data with its subsidiaries and Sub-processors including service providers and other partners to support the overall delivery of Axon products and service.

Details about information sharing with Axon subsidiaries and Sub-processors are available in the Axon Cloud Services Privacy Policy.

Axon Cloud Services also enables customers to share data between their tenants. Customers are required to ensure appropriate data sharing agreements are in place to support sharing data. Such agreements should align with regulatory requirements and define data ownership, responsibilities and liabilities. Axon and the Axon Cloud Services sharing mechanisms do not define data ownership, responsibilities and liabilities.

Audit Trail

Axon Cloud Services provides an Evidence audit trail that logs the when, who, and what for interactions with Evidence. The audit trail logs cannot be edited or changed, even by tenant administrators.

Data Subject Rights

Within the scope and Axon's authorization to do so, Axon will work with data controller in fulfilling data subject requests when they exercise their rights under GDPR and LED. If Axon receives a request from the customer's data subjects to exercise one or more of its rights under GDPR or LED, the request will be redirected to the data controller.

Additionally, Axon will not disclose Customer Content or any information about customer or customer's data subjects except as compelled by a court or administrative body or required by any law or regulation. Required disclosures information is available in the Axon Cloud Services Privacy Policy.

*Definitions of capitalized words, including Customer Content, Evidence and Customer Data, are defined in Axon Cloud Services Privacy Policy.