General Data Protection Regulation DisclosureIntroductionIn 2013 MEGA pioneered user-controlled end-to-end encryption through a web browser. It provides the same zero-knowledge security for its cloud storage and chat, whether through a web browser, mobile app, sync app or command line tool. MEGA, The Privacy Company, provides Privacy by Design.
As all files uploaded to MEGA are fully encrypted, their contents can’t be read or accessed in any manner by MEGA. Files can only be decrypted by the original uploader through a logged-in account, or by other parties who have been provided with file/folder keys generated by the account user.
Personal data is information relating to an identifiable natural person who can be directly or indirectly identified in particular by reference to an identifier.MEGA stores the following categories of Personal DataContact Details- Email addresses
- User’s name (if provided)
Transaction Details- IP address and Source Port for account creation and file uploads
- Country location (inferred by matching IP to MaxMind IP database)
- File size and date uploaded
- Date that file/folder links are created
- MEGA contacts
- Chat destination contact(s) and time sent
- Call destination contact(s), call start time and call duration
- Subscriptions and payment attempts
- Information provided to a payment processor when processing a subscription payment, such as Tax ID number, but not the credit/debit card number.
MEGA does not receive or store special categories of personal data or data relating to criminal convictions and offences, as any files that are uploaded to MEGA are fully encrypted at the user’s device so the encrypted data is not able to be decrypted by MEGA.
MEGA doesn’t share the data with any other party other than with competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences and as specified in the Privacy Policy clause 11.
PurposeThe purpose of storing the data is to manage account login and activity and to respond to information demands from authorities.
ProcessingMEGA stores personal data but does not carry out any other processing activities on such data. This storage of personal data is necessary in order to provide the secure login to MEGA’s systems and to satisfy compliance obligations.
Lawful Basis of Processing: ContractThe processing of data is necessary for performance of the contract that MEGA has with each user, which they accepted through the Terms of Service when creating their account.
The Terms of Service clause 2 requires the user to agree to the Terms or otherwise to not use the service. Acknowledging and accepting the Terms of Service is a mandatory step in the signup process in all clients - web and mobile.
Clauses 50-51 of the Terms of Service incorporate the Privacy Policy by reference. The Privacy Policy specifies the personal information that is stored.
Retention of Personal DataPersonal data is retained indefinitely while the user’s account is open. After account closure, MEGA will retain all account information as long as there is any law enforcement request pending but otherwise for 12 months after account closure as users sometimes request that an account be re-activated. After 12 months, identifying information such as email and IP addresses will be anonymised (except that email address records will be retained for reference by the user’s contacts or where the user has participated in chats with other MEGA users) but other related database records may be retained.
After user deletion of a file all deleted files will be made inaccessible, marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
After account closure all stored files will be marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
Data Subject’s RightsEach user has the rights specified in this disclosure notice.
Withdrawal of ConsentUsers can only withdraw consent to MEGA collecting the specified personal information if they close their account.
Statutory and Contractual ObligationsPersonal Information collected by MEGA is not collected because of any contractual or statutory obligation to third parties.
Automated Decision Making and ProfilingMEGA does not undertake any automated decision making or profiling.
The Right of AccessIndividuals have the right to obtain:
- confirmation that their data is being processed;
- access to their personal data;
- Any requests should be submitted to [email protected]. The information will be provided promptly, and at least within one month, without charge unless the request is manifestly unfounded or excessive.
RectificationIndividuals are entitled to have personal data rectified if it is inaccurate or incomplete. If MEGA has disclosed the personal data in question to any third party (such as a compliance authority), it will inform them of the rectification where possible and will also inform the individuals about the third parties to whom the data has been disclosed where appropriate. The only third parties that might have had disclosure are compliance authorities.
ErasureThe right to erasure does not provide an absolute ‘right to be forgotten’. Individuals have a right to have personal data erased and to prevent processing in specific circumstances:
- The personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
- The individual withdraws consent.
- The individual objects to the processing and there is no overriding legitimate interest for continuing the processing.
- The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
- The personal data has to be erased in order to comply with a legal obligation.
- The personal data is processed in relation to the offer of information society services to a child.
Any requests for erasure will be considered in detail and would probably result in closure of the user’s account.
After account closure, MEGA will retain all account information as long as there is any law enforcement request pending but otherwise for 12 months after account closure as users sometimes request that an account be re-activated. After 12 months, identifying information such as email and IP address will be anonymised (except that email address records will be retained for reference by the user’s contacts or where the user has participated in chats with other MEGA users) but other related records may be retained.
After user deletion of a file all deleted files will be made inaccessible, marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
After account closure all stored files will be marked for deletion and deleted fully when the next appropriate file deletion purging process is run.
In some cases a person may receive an email from MEGA asking the person to confirm their new account email address, but in fact they haven’t tried to open an account - someone else has started the process and used their email address either maliciously or by mistake. In these cases, MEGA has an ephemeral/incomplete account that might be used to upload files. On request, and after proving ownership of the email address, MEGA will arrange for the account to be deleted.
MEGA can refuse a request for erasure:- to comply with a legal obligation for the performance of a public interest task or exercise of official authority.
- for public health purposes in the public interest;
- for the exercise or defence of legal claims.
The Right to Restrict ProcessingIndividuals have a right to ‘block’ or suppress processing of personal data. When processing is restricted, MEGA is permitted to store the personal data, but not further process it. As MEGA only stores, and doesn’t further process the stored personal data, no action will be taken in response to a request to restrict processing.
Data PortabilityThe right to data portability only applies:
- to personal data an individual has provided to a controller;
- where the processing is based on the individual’s consent or for the performance of a contract; and
- when processing is carried out by automated means.
On request by email to
[email protected], MEGA will provide a user’s personal data in a structured, commonly used and machine readable form such as JSON files.
Note that all files in a user’s account can be downloaded and decrypted through any of the usual clients.
Lead Data Protection Supervisory AuthorityThe Lead Data Protection Supervisory Authority is the Luxembourg National Commission for Data Protection. This is the appropriate authority for accepting GDPR complaints about MEGA.
NATIONAL COMMISSION FOR DATA PROTECTION
1, avenue du Rock'n'Roll
L-4361 Esch-sur-Alzette
https://cnpd.public.luControllerMEGA Limited
Level 21, Huawei Centre
120 Albert St
Auckland
New Zealand
Company number 4136598
Controller’s RepresentativeMega Europe sarl
4 Rue Graham Bell
L-3235 Bettembourg
Luxembourg
Company number B182395
[email protected]The Privacy Company. User-encrypted cloud services
MEGA
About us Plans & Pricing Resellers Service Policy Press & Media Credits Contact Us
Apps
iOS Android Windows Mobile Browser Extensions MEGAsync MEGAcmd MEGAbird
Support
Help centre Blog
Tools
SDK Source Code
Legal
Terms of Service Privacy policy Copyright Takedown Guidance General Data Protection Regulation Disclosure
© MEGA 2018 All rights reserved