EU laws + privacy

So I have been reading up on EU law, and if I understand what the EU.

  • Australian businesses of any size may need to comply if they have an establishment in the EU, if they offer goods and services in the EU, or if they monitor the behaviour of individuals in the EU.

Now because our business allows anyone in the world to access our data and we collect data from people all around the world, I am wondering how MongoDB atlas complies with these EU laws.

For example:
The GDPR requires that all data collected on citizens must be either stored in the EU , so it is subject to European privacy laws, or within a jurisdiction that has similar levels of protection.

But from my understanding Altas does not do this, it stores it on a cluster of servers that we the customer selected when we signed up.

So how would we try and be GDPR compliant when using MongoDB when it only affects a small percentage of our clients.

Is it possible to clone an atlas in realtime and have the data in the EU, and connect EU customers to that - I can see a number of issues with this method though as data would still be synced back to the US servers.

Would love to hear suggestions and ways to solve this issue.

Hi @Russell_Harrower

But from my understanding Atlas does not do this, it stores it on a cluster of servers that we the customer selected when we signed up.

MongoDB Atlas itself is GDPR compliant, as mentioned in the GDPR FAQ page in the Trust Center.

However, users of MongoDB Atlas must also ensure that their processes relating to data are in compliance with GDPR. Please refer to GDPR: Impact to Your Data Management Landscape: Part 3 blog post to see how MongoDB’s products and services can support users to be GDPR compliant.

Below is an excerpt from the post that would be relevant to your question about data sovereignty:

To support data sovereignty requirements, MongoDB zones allow precise control over where personal data is physically stored in a cluster. Zones are also the basis for Atlas’s fully managed Global Clusters. Clusters can be configured to automatically “shard” (partition) the data based on the user’s location – enabling administrators to isolate EU citizen data to physical facilities located only in those regions recognised as complying with the GDPR.

See also MongoDB Atlas: Manage Global Clusters. In addition, I’d suggest to review the GDPR blog series for more information.

I would recommend you to engage a consultant specialising in these areas to ensure your compliance.

Best regards
Kevin

5 Likes