The General Data Protection Regulation (“GDPR”) makes a distinction between "Controller" and "Processor". The regulation defines the Controller as a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. The Processor, on the other hand, is defined as a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Backblaze processes two types of customer data. Stored data, often referred to as “files,” and Account Data.
Stored data is the data the customer stores with us for the purpose of being able to recover:(restore) some or all of the data at some later date/time. Regarding this type of data, under GDPR, the customer is the Controller and Backblaze is the Processor, as we process this personal data on behalf of the customer.
Account data is the data Backblaze collects from the customer to operate and manage the customer’s Backblaze account via the services we provide. Much of the Account data Backblaze collects is considered personal data, under GDPR. Regarding this data, Backblaze is the Controller because we decide what data we need to collect and how to use it within our system.