Please be aware that telemetry data collection user have to agree during installation MUST be optional. Also sending this data to not EU servers is not lawful anymore https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091de.pdf
Hi Tom,
Thanks again for sharing your concerns. I've checked with our legal team on this, and the good news is that Sophos Connect DOES NOT violate any GDPR regulations. Here is what they had to say:
"Thank you for letting us know about your concerns. With the invalidation of Privacy Shield and other developments with respect to privacy around the world, we want to assure you that Sophos is processing customer data in a lawful manner that remains aligned with GDPR requirements and other applicable global privacy laws.
In order to lawfully transfer personal data outside of the EU, an adequate data transfer mechanism must be used. Where Sophos does process personal data, Sophos relies on the Standard Contractual Clauses for the purposes of transferring personal data outside of the EU. This information is provided in our Sophos Group Privacy Notice under the International Transfers of Data section on the left hand side. Sophos offers customers our standard Data Processing Addendum, which details our obligations with respect to personal data.
Please feel free to contact us with additional questions about the Data Processing Agreement we have in place with you as a Customer.
Additionally, telemetry data that Sophos collects and processes as a result of the use of Sophos Connect VPN is not considered personal data under GDPR. Our telemetry collection allows Sophos to provide the product to our customers and as such is not optional. Sophos processes this information based on contractual necessity, a recognized basis which may be relied upon to process data, recognized under GDPR."
As such, I will have the subject of this thread changed, to prevent misunderstandings.
