VMware Privacy Program

Our comprehensive privacy program enables you to feel confident that your personal data is kept private and processed responsibly.

Protecting Personal Data as a Service Provider

How VMware, as a processor, enables you to comply with data protection and privacy requirements.

Contractual Agreements

Review VMware contractual obligations for the ongoing protection of the personal data you submit to its services.

Court Orders, Government Access, Law Enforcement

Learn how VMware handles government access requests, subpoenas, court orders, and other legal and regulatory requirements.

Data Transfer Mechanisms

Learn about the mechanisms VMware relies on when transferring personal data from the European Economic Area, Switzerland, and the United Kingdom to third countries.

Sub-Processors

Explore the list of third parties VMware engages with to perform services on its behalf and sign up to be notified if the list changes.

VMware Products and Services

The personal data VMware collects, and processes varies depending on which services you purchase. Read through the privacy datasheets and UEM disclosure to discover the personal information VMware processes in relation to its service offerings.

Protecting Personal Data as a Business

How VMware, as a controller, complies with data protection and privacy requirements.

Privacy Notices

VMware privacy notices detail the personal information collected, how it is used, how long it is stored, and who has access to it.

Privacy Culture at VMware

VMware privacy policies and training programs ensure its employees know how to protect your data. Its Data Protection Officer is also consulted with as needed.

Privacy by Design and Records of Processing

VMware has a comprehensive privacy program that includes privacy reviews, records of processing activities, and transfer impact assessments. 

Marketing Preferences and Data Subject Rights

VMware respects your privacy, offering choice and control over your personal information.

Frequently Asked Questions

“Customer Content” (or “Your Content”) is any content that you, as a customer, or your users upload into a Cloud Service for processing, storage, or hosting in connection with your account. In the context of Support Services, “Customer Content” is any content you provide to VMware as a part of Support Services. The definition of “Customer Content” can be found in the VMware General Terms. For example, Customer Content includes data that you or your users store in Workspace ONE. Importantly, your account information, including names, usernames, phone numbers, and billing information associated with your account, is not included in the definition of “Customer Content”, nor any information VMware collects in connection with your use of its Cloud Services. Rather, VMware will handle that information in accordance with its Privacy Notice.

You always retain ownership of Customer Content. You determine which VMware Cloud Services you use to process, store, and host Customer Content, and what information you upload into the Cloud Service as Customer Content. Also, VMware will not access or use Customer Content for any purpose except as necessary to provide the Cloud Service to you or as set forth and permitted in its VMware General Terms with you. Lastly, VMware does not use Customer Content for marketing or advertising.

VMware provides enterprise solutions which enable its customers to build, manage, secure and run applications across multiple systems and environments. Although VMware believes the nature of the service offerings it provides to its customers won’t generally warrant a direct government access request to Customer Content, VMware took the following steps to comply with the Schrems II ruling and to assist customers in their own compliance efforts in relation to data they process as a controller:

Strengthened Contractual Commitments Regarding Government Access Requests
VMware updated the ‘Required Disclosure’ section of its VMware General Terms to clarify how VMware handles government access requests by adding the following commitments:

Where customer notification is not legally prohibited, VMware will:

  • Notify the Customer: Notify its customers of any demand for disclosure of customer’s content.
  • Refer Government Agency to the Customer: Inform the relevant government authority that VMware is a service provider acting on the customer’s behalf and all requests for access to customer’s content should be directed in writing to the contact person the customer has identified to us, or the customer’s legal department.
  • Limit Access: Only provide access to customer’s content with the customer’s authorization. If the customer requests, we will, at the customer’s expense, take reasonable steps to contest any demand.

In the event VMware is legally prohibited from notifying the customer, VMware will:

  • Evaluate Legal Validity: VMware will evaluate the demand for disclosure to determine whether it is legally valid and binding.
  • Challenge Unlawful Requests: VMware will challenge the order if it reasonably believes the order does not comply with applicable law.
  • Limit Scope of Disclosure: VMware will limit the scope of any disclosure to only the information we are required to disclose and will disclose the information in accordance with applicable law.

Transparency Regarding Process for Handling Government Access Requests and US Authorities

To assist customers in further understanding VMware’s commitments and process for handling government access requests, including commitments set forth in VMware’s BCR’s, VMware has prepared VMware Principles for Handling Government Requests to Access Customer Content.

 

Further, VMware has prepared the VMware Statement regarding application of FISA Section 702 and Executive Order 12333 in view of Schrems II to address concerns about U.S. intelligence agencies having access to data transiting from the EU to the U.S. and to assist customers in understanding the likely application of two U.S. authorities: Executive Order (EO)12333 and the Foreign Intelligence Surveillance Act (FISA) Section 702. VMware strongly believes there is a low likelihood that it would be subject to Section 702 or EO 12333 in relation to its provision of the service offerings given the nature of the services it provides.

 

Updated Contracts with Sub-Processors to Ensure Legal Basis for Transferring Personal Data

Since the invalidation of the EU-U.S. Privacy Shield, VMware has implemented Standard Contractual Clauses with all its sub-processors who previously relied on the EU-US Privacy Shield as a data transfer mechanism. In its capacity as a data processor, VMware relies on Binding Corporate Rules to transfer Personal Data outside the EU in connection with the provision of the applicable VMware service offerings as set forth in VMware’s Data Processing Addendum.

 

Technical and Organizational Measures

VMware confirms its commitment to implement and maintain appropriate technical and organizational measures as set forth in VMware’s Data Processing Addendum. VMware’s Trust Center outlines the third-party certifications and audits VMware maintains in relation to its service offerings. Given the nature of the VMware service offerings, customers also have control over how they configure the service offerings, and can implement any necessary administrative and technical controls as required to protect the data that is processed in connection with their use of the applicable service offering. In many instances, VMware provides both on-premise and hosted solutions for customers to choose from when managing their systems and infrastructure.

Transfer Impact Assessments
VMware implemented a process for conducting transfer impact assessments as further detailed in the TIA FAQ. Further, VMware updated its Binding Corporate Rules for Processors (BCR-Ps), as approved by the supervisory authorities, to include a commitment to conduct transfer impact assessments. See VMware’s Transfer Impact Assessment Procedure set forth in its BCR-Ps.

 

Transparency Regarding the Types of Data processed by VMware Service – Datasheets
The European Data Protection Board (EDPB) in its FAQs on “Schrems II" outlined that it is necessary to consider the types of data transferred as one factor in determining whether there is an adequate level of protection surrounding the transfer of personal data outside the EU, and that controllers should conduct a case-by-case analysis to determine the risks posed by such transfer. To assist customers in understanding the types of data processed in connection with their use of VMware service offerings, VMware provides Service Descriptions for each service offering, and makes available datasheets for certain service offerings in the Privacy section of the VMware Trust Center. For Workspace One service offerings, VMware also makes available the Workspace One Disclosure.

VMware engages and uses third parties to perform services on its behalf in connection with the provision of VMware service offerings or Support & Subscription Services. In connection with the engagement of third parties who process personal data as a sub-processor (as those terms are defined in Data Processing Addendum), VMware has implemented the following processes and procedures:

  1. Contractual commitment and international data transfers: VMware enters into data processing agreements with all its sub-processors, which require the sub-processors to maintain proper privacy, security and confidentiality of personal data on terms that are substantially similar to the contractual commitments VMware makes to its own customers in the Data Processing Addendum. VMware relies on the EU Standard Contractual Clauses unless there is another legitimate data transfer mechanism in place and the sub-processor makes appropriate contractual commitments.

  2. Privacy review process and privacy by design: VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers, including initiating, conducting and tracking third-party privacy and security reviews using centralized tools to assist with its compliance efforts. The VMware Privacy Team conducts detailed privacy reviews of the services provided by Sub-processors, including determining the categories of personal data processed and the processing purposes. The reviews include the implementation of privacy controls for mitigating the risks associated with sub-processors’ access to and processing of Personal Data and ensuring regulatory compliance.

  3. Security review process: VMware maintains a policy and process for conducting security reviews of sub-processors. The VMware Security Team conducts an initial security review of any new sub-processor, and ongoing monitoring based on the identified security risk level.

  4. List of sub-processors and notification of new sub-processors: VMware maintains a list of the sub-processors used by individual service offerings and in relation to the Support & Subscription Services. VMware provides prior notice of any new engagement of a sub-processor to customers that have subscribed to receive notification for a specific service. 

VMware has an internal process for tracking, analysing and assessing new laws, regulations, binding guidance and case law that may apply to VMware whether in its provision of its services or in the operation of its business.  The Privacy Team relies on outside counsel, external privacy research tools and law firm news alerts to understand when new laws and regulations are enacted. 

Once it is determined that a specific privacy law applies to VMware, such as was the case with laws in China, Japan, California, Colorado, Virginia, and Utah, for example, VMware tracks the legal requirements and implements a project plan to ensure compliance. As part of the implementation process, the VMware Privacy Team engages relevant internal stakeholders, and identifies the processes and controls that need updating to comply with the new legal requirements.  The VMware Privacy Team relies on its eco-system of Privacy Councils (driven by functional area such as Marketing, HR, Sales) within the company to assist with the implementation of new or changed laws in a timely and efficient manner.

The VMware Privacy Team also leverages its standard privacy training and other company trainings to ensure all its employees and contractors are properly trained on any new legal requirements that may impact their business function. For example, as part of VMware’s regulatory compliance with its Binding Corporate Rules for Processors, VMware implemented the necessary trainings via its annual mandatory Security and Awareness training, as well as updated its Business Code of Conduct to reflect the new requirements.

Security of its Cloud Services is of the utmost importance to VMware. For more information on how VMware secures its Cloud Services, see the Trust Center Security page. VMware maintains an information security management program that is aligned with the ISO 27001 standard, and reviewed at least annually to ensure appropriate controls, practices and procedures are in place.

In using VMware Cloud Services, you are responsible for configuring and implementing the necessary technical, organizational, and administrative controls to enable you to comply with any laws applicable to your use of the Cloud Service, which may depend on the types of data you choose to process using the service. Your responsibilities relating to the security of your Customer Content are set forth in the applicable agreement and include (a) controlling access you provide to your users, (b) configuring the Cloud Service appropriately, (c) ensuring the security of Customer Content while it is in transit to and from the Cloud Service, (d) using encryption technology to protect Customer Content as you deem necessary, and (e) backing up Customer Content.

How We Protect Personal Data as a Service Provider

As a processor, VMware has developed a comprehensive privacy program to enable you, as a controller, to comply with data protection law in your use of the service.

Contractual Commitments

These privacy agreements supplement the VMware General Terms, available at VMware ONE Contract Center.
Data Processing Addendum

Data Processing Addendum

VMware contractual commitments to protect the security, confidentiality, and integrity of your personal data.

GDPR Supplemental Measures Addendum

GDPR Supplemental Measures Addendum

An integral part of the VMware Data Processing Addendum that aligns with the revised EU standard contractual clauses resulting from the Schrems II decision.

 

Business Associate Agreement

VMware commitment to protected health information for certain services where customer is a covered entity under HIPAA.

 

Data Transfer Mechanisms

VMware may transfer personal data you submit to the services as your content from the European Economic Area, Switzerland, and the United Kingdom to third countries in its capacity as a processor.

Binding Corporate Rules

As a processor, VMware relies on Binding Corporate Rules (BCR-Ps) to transfer personal data from the European Economic Area (“EEA”), Switzerland and the United Kingdom (“UK”) to third countries. BCR’s are a data transfer mechanism under the General Data Protection Regulation (“EU GDPR”), Switzerland’s Federal Act on Data Protection (“FADP”) and the UK Data Protection Act.  VMware BCR-Ps are legally binding on the members of the VMware group of companies via an Intra-Group Agreement (“IGA”) and apply to all transfers of personal data between members where the BCR-Ps are referenced in the contract with the customer.

European Economic Area and Switzerland

VMware EEA BCR-Ps were approved by the European Data Protection Authorities, with the Irish Data Protection Authority being the lead authority, on May 23, 2018. These BCR-Ps were updated in May 2021 to implement controls post-GDPR and then again in October 2022 to implement requirements post-Schrems II. VMware provides annual updates to the Irish DPA, which includes amending the BCR-Ps as may be required. Annual updates are conducted each year in May.

For transfers of personal data outside of Switzerland, VMware relies similarly on the EEA BCR-Ps.

VMWARE BCR-PS

BCRS FOR PROCESSORS FAQ

United Kingdom

The VMware application for Binding Corporate Rules for Processors in the UK (“UK BCR-Ps”) is currently pending, and the VMware Data Processing Addendum will be updated when the UK BCR-Ps take effect. In the meantime, VMware has contractually agreed in its Data Protection Addendum to extend the protections set forth in the EEA BCR-Ps to transfers of personal data from the UK to third countries where VMware is acting as a processor.

INT’L DATA TRANSFER FAQ

Sub-Processors

VMware follows defined processes and procedures to protect your personal data when engaging with third parties who perform services on its behalf.

Standard Contractual Clauses for International Data Transfers

VMware enters into data processing agreements with all sub-processors, requiring them to maintain the privacy, security, and confidentiality of personal data on terms substantially similar to the contractual commitments in our Data Processing Addendum. To ensure safe, secure and legal data transfers from the EEA, Switzerland or the UK, and to protect any subsequent onward transfers, VMware relies on the EEA Standard Contractual Clauses (“EEA SCCs”), UK International Data Transfer Agreement or UK Addendum to EEA SCCs unless another legitimate data transfer mechanism is in place.

Sub-Processor List and Notifications

VMware maintains a list of the sub-processors used by each VMware service.

 

You can receive notice when a new sub-processor is engaged by your service by subscribing to receive notification.

Court Orders, Government Access & Law Enforcement Requests

VMware is committed to protecting its customers’ content while complying with applicable law.

VMware makes commitments in its VMware General Terms (see section entitled Required Disclosures) and Binding Corporate Rules Processor Policy (BCR-Ps) regarding how it will handle government access requests, subpoenas, court orders, agency actions or other legal or regulatory requirements to disclose any customer’s content.

VMware is not aware of any applicable law that would impinge on its ability to comply with its commitments relating to government access requests and required disclosures as set forth in the VMware General Terms.

In no event will VMware disclose any personal data in a massive, disproportionate, or indiscriminate manner that goes beyond what is necessary in a democratic society.

Transparency Report

Published annually, this report shows the number of government and law enforcement requests VMware receives globally.

US Authorities - FISA

VMware statement regarding Foreign Intelligence Surveillance Act (FISA) Section 702 and Executive Order (EO) 12333.

Government Access Requests

VMware is guided by a set of core principles in its response to access requests relating to your content.

VMware Products and Services

VMware provides datasheets to help you understand the personal data processed by its services, and additional resources that outline its unified endpoint management and data usage programs.

 Results

VMware Application Catalog Privacy

Discover how VMware processes and protects your personal data in connection with VMware Application Catalog.

VMware Carbon Black Cloud Privacy

Learn about the types of personal data collected by this cloud native security solution and how VMware processes and protects it.

VMware Carbon Black Hosted EDR Privacy

Discover how VMware processes and protects your personal data in connection with Carbon Black Hosted EDR.

VMware Cloud on AWS Privacy

Learn about who is responsible for personal data in VMware Cloud on AWS SDDCs and how VMware protects any data in its domain.

VMware Cloud Disaster Recovery Privacy

Discover how VMware processes and protects your personal data in connection with the VMware Cloud Disaster Recovery service offering.

VMware Cloud Flex Storage Privacy

Discover how VMware processes and protects your personal data in connection with VMware Cloud Flex Storage.

VMware Cloud Web Security Privacy

Learn about the types of personal data collected by this secure web gateway and how VMware processes and protects it.

CloudHealth by VMware Privacy

Discover how VMware processes and protects personal data on the trusted platform for optimizing multi-cloud environments.

VMware Horizon Privacy

Discover how VMware processes and protects your personal data in connection with the VMware Horizon Service.

VMware NSX Privacy

Learn how VMware processes and protects your personal data in connection with VMware NSX.

VMware SD-WAN Privacy

Learn about the types of personal data collected by this network overlay solution and VMware’s role in protecting it.

VMware Secure Access Privacy

Discover how VMware processes and protects personal data in the Secure Access hosted offering.

VMware Tanzu Mission Control Privacy

Discover how VMware processes and protects your personal data in connection with the VMware Tanzu Mission Control Offering.

VMware Tanzu Service Mesh Privacy

Learn how VMware processes and protects your personal data in connection with VMware Tanzu Service Mesh.

VMware Workspace ONE Privacy

Learn about the types of personal data collected by this digital workspace platform and how VMware processes and protects it.

Workspace ONE Unified Endpoint Management

VMware Workspace ONE Unified Endpoint Management is a single solution that offers a scalable approach to process automation, end-user device and application management, and enterprise level security. To assist customers in complying with their transparency obligations under law, VMware makes available the Workspace One Disclosure. Customers, in their capacity as a controller, can provide a privacy notice to its users based on this disclosure and the customer’s configuration, use and deployment of Workspace One. To learn more, access the Workspace ONE Unified Endpoint Management (UEM) product page.

Improving our Products and Services

VMware collects information about customer organizations’ use of VMware products and services for its analytics and customer experience improvement programs, designed to improve its offerings and your customer experience.

Privacy by Design and Records of Processing

Privacy reviews, transfer impact assessments and records of processing activities are integral components of the VMware privacy program, designed to mitigate risk and ensure compliance.

Privacy Reviews

VMware Products and Services

VMware has implemented a privacy by design framework in the lifecycle of its on-premise products and hosted services.

The privacy by design framework includes:
 

  • Documented instructions for submitting a product or service through a privacy review.
  • Designated legal counsel to conduct privacy reviews.
  • Data processing impact assessments (as may be required).
  • General privacy requirements for designing products and services in compliance with applicable data protection and privacy laws.

Third-Party Vendors

VMware has established a centralized end-to-end third-party vendor management process to onboard new suppliers.

 

The VMware Privacy Team conducts privacy reviews of the services provided by vendors, including:
 

  • Determining the categories of personal data processed and the processing purposes.
  • Implementing privacy controls to mitigate the risks associated with vendors’ access to and processing of personal data to ensure regulatory compliance.

Transfer Impact Assessments

VMware conducts transfer impact assessments (TIAs) on personal data transferred from the EEA, Switzerland, or the UK to third countries which have not been granted adequacy status.

Its internal process for conducting TIAs follows the European Data Protection Board (EDPB) guidance and the UK Information Commissioner’s Office’s International Transfer Risk Assessment and Tool.

This includes:
 

  • Undertaking a country level analysis.
  • Gathering additional information from VMware vendors to assess government access.
  • Conducting TIAs as part of the privacy review for VMware products and services, third-party sub-processors, and corporate functions.

For more information, including how VMware handles government access requests and the likelihood of such requests, refer to the TIA FAQ.

Records of Processing Activities

Records of Processing Activities (RoPA) outline what personal data VMware holds as an organization and where. Created through information auditing and data-mapping, RoPA is a comprehensive record of VMware personal data processing activities and includes information regarding:
 

  • Data categories
  • Data subjects
  • Purpose of and lawful basis for processing
  • Data recipients
  • Retention schedules
  • Description of technical and organizational measures and documentation of safeguards
  • Processing activities carried out by our sub-processors

VMware RoPAs are regularly reviewed and updated. VMware will provide access to data protection authorities as required to comply with regulatory obligations.

Privacy Culture at VMware

We make choices every day affecting data privacy. VMware policies, training, and Data Protection Officer consultation ensures every decision made is the right one.

Privacy Policies & Practices

VMware has comprehensive policies and practices in place to ensure personal data is adequately protected and to help identify, prevent, and resolve security vulnerabilities in its products and services. These policies and practices are continually reviewed and updated.

Privacy Training Program

VMware employees complete mandatory privacy training on a regular basis, both general and role specific. Confidentiality agreements are also required for all employees.

Data Protection Officer

The VMware Privacy Team engages a Data Protection Officer as appropriate in issues related to the protection of personal data, regulatory obligations and compliance, data protection impact assessments, and as the point of contact for supervisory authorities.

Take Control of Your Data Privacy

VMware honors the choices you make to protect your personal data and respects your privacy rights.
Marketing Communication Preferences

Update your preferences for advertising and promotional communications, including event invitations, newsletters, and learning program offerings.

Privacy Contact Form

Contact VMware for answers regarding your personal data or to exercise your rights under privacy law.

Cookie Management

The VMware Cookie Notice outlines our use of cookies & similar technologies. Manage your preferences by clicking the Cookie Settings button in the lower right corner on any VMware web page.