Automattic is committed to helping our customers run their sites and online businesses in a manner that complies with the GDPR’s data protection and data transfer laws.
One way we are fulfilling our commitment is by providing a Data Processing Agreement, which is a contract that documents Automattic’s compliance with the GDPR requirements that apply to us as a data processor for your site. The Agreement also satisfies the requirement for standard model clauses that govern the transfer of your data to Automattic and its subsidiaries.
The Data Processing Agreement is an amendment to our Terms of Service and is available to all WordPress.com site owners.
Having a DPA does not change any of our privacy and security practices for site visitors. Everyone using our service gets the same high standards of privacy and security.
If you would like to sign a Data Processing Agreement with us, you can click the “Request a DPA” button in your dashboard while logged into your WordPress.com account. This will automatically send a DPA to your account’s email address which you can sign and return to email@example.com for processing.
For example, a site owner might have a store on WordPress.com, that collects and stores other people’s names and addresses, and uses that information to ship packages to them.
For this type of information, the site owner (usually a business) is acting as a “Data Controller” – under GDPR, if the controller is handling data on EU residents, he or she should have a contract in place that applies to this controlled data and includes some additional commitments, above and beyond our standard policies. This “Data Processing Agreement” is a business to business agreement and is not relevant or needed for the typical free site owner or hobbyists.
If you are acting as a data controller in this way or have specific concerns about getting an Agreement to cover your use of WordPress.com please get in touch and we will work with you to help.