Privacy Policy

CYXTERA AND APPGATE GENERAL PRIVACY POLICY

Date Effective: April 17, 2020
Date Last Updated: April 17, 2020

I. Introduction

This General Privacy Policy, which is effective as of April 17, 2020, amends prior versions of the Customer Privacy Policy and Privacy Policy which were effective as of May 25, 2018 and June 1, 2018, respectively. The amendments update the information previously provided in such prior versions and reflect an internal reorganization of our corporate structure whereby Cyxtera Cybersecurity, Inc. d/b/a AppGate, including its subsidiaries and Affiliates (as defined below) (“AppGate”), was spun-out from Cyxtera Technologies, Inc., including its post-reorganization subsidiaries and Affiliates (“Cyxtera”). Cyxtera and AppGate may be referred to herein collectively as “the Group,” “we,” “our,” or “us” except for certain provisions where the context is limited to Cyxtera or AppGate as separate organizations.

Cyxtera is a global leader in data center colocation services, ranking as the largest private retail colocation company in the world and among the largest worldwide retail colocation providers overall.

AppGate is an industry leader in security, fraud protection and data analytics products and services and cybersecurity professional services, acting as a service provider for other entities to assist them in meeting their business needs.

This General Privacy Policy addresses the privacy rights of individuals who:

  • visit or use our Websites;
  • interact with us on behalf of a Customer in connection with the provision of our Services;
  • interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
  • interact with us on behalf of a business partner in connection with our relationship with the business partner;
  • apply to work with us;
  • receive marketing communications from us; and/or
  • interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or who communicate with us via email, phone, or in-person.

This General Privacy Policy, along with our GDPR Privacy Policy and Privacy Shield Policy set forth at the links below, is designed to assist individuals and businesses that interact with us to understand the types of Personal Data we collect, how that Personal Data is Processed, and the practices we have adopted to protect Personal Data.  If your Personal Data is Processed by us in the European Economic Area (“EEA”), including in the United Kingdom (“UK”) or the European Union (“EU”), or if you are a resident of the EEA, including the UK or EU, and subject to GDPR protections, please click here to view our GDPR Privacy Policy for data processing in the EU/EEA/UK, and here to view our Privacy Shield Policy, which covers the transfer of personal data from the EEA/EU/UK/Switzerland to the United States.  In the event of a conflict between the GDPR Privacy Policy and the General Privacy Policy, the GDPR Privacy Policy will prevail.  If your Personal Data is transferred from the EEA/EU/UK/Switzerland to the United States, please click here to view our Privacy Shield Policy covering such transfers. In the event of a conflict between the General Privacy Policy or GDPR Privacy Policy and the Privacy Shield Policy, the Privacy Shield Policy will prevail.

II. Definitions

Controller” means a person or organization that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
 
Customer” means a business that has, formerly had, or is contemplating purchasing or using our Services.

GDPR” means the EU General Data Protection Regulation 2016/679.

Personal Data” means any information relating to an identified or identifiable natural person.

“Privacy Policy” means this General Privacy Policy, the GDPR Privacy Policy and the Privacy Shield Policy, collectively.

ProcessandProcessing” means any operation or set of operations which is performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.

Processor” means a person or organization that engages in Processing.

Representative” means an individual who (i) acts on behalf of a Customer, including, a Customer’s employees, agents, and representatives, (ii) acts on behalf of a Service Provider, including, a Service Provider’s employees, agents, and representatives, (iii) acts on behalf of a business partner, including a business partner’s employees, agents, and representatives or (iv) otherwise interacts with us in any manner, for example through our Website, in emails, phone calls, or in-person interaction.

Sensitive Data” includes, but may not be limited to, Personal Data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information specifying the sex life of the individual, and that is subject to the EU-U.S. or Swiss-U.S. Privacy Shield Principles.
 
Service Provider” means a supplier, subcontractor, vendor, or other third party who provides services to us.

Servicesmeans the products and services provided by us, including, but not limited to, colocation and other data center services, fraud detection software and services, website accessibility compliance software and services, data analytics services, and cybersecurity software and services.

Website” means all of the websites and mobile applications maintained by us that display a link to the General Privacy Policy, the GDPR Privacy Policy, and/or Privacy Shield Policy.

WebsiteVisitor” means an individual who visits the Website.

III. Personal Data Collected

For our Customers, we may collect the Personal Data of your Representatives (e.g., name, job title, business contact details, etc.) when your Representatives inquire about, negotiate, purchase, or use any of our Services on your behalf.

For our Service Providers, we may collect the Personal Data of your Representatives when we inquire about or purchase services from you to support our business operations.

For our business partners, we may collect the Personal Data of your Representatives in connection with our interactions with you. 

For prospective employees, we may collect your Personal Data when you visit, browse, or register on our Websites, when you submit an application for employment, when you provide additional Personal Data during the application and interview process, when you speak to our employees during your interview process, and when you otherwise provide or authorize us to collect your Personal Data during the application and interview process.

For our Website Visitors, we may collect certain Personal Data from you when you visit, browse, register on our Websites, complete a form on our Websites, or engage in online support received through our Websites. We may also collect certain information about your session when you visit our Websites, including internet protocol (IP) addresses, browser type, internet service provider, referring/exit pages, operating system, date/time stamp and clickstream data, as further outlined in Section VI below.

We may also collect the Personal Data of Representatives if they (i) register for a trade event, webinar, or conference hosted by us, (ii) download or request content and information regarding our Services, (iii) complete a survey or form, (iv) request online support through our Websites, or (v) receive marketing communications from us. 

IV. Purpose of Personal Data Collection and Processing

We collect and Process Personal Data for the following purposes:

  • To administer and process transactions related to the Services we provide;
  • To provide, assess, and improve our customer support and customer service;
  • To personalize your experience using our Services or Websites;
  • To communicate with you during contract negotiations or post-contract support;
  • To fulfill a legal obligation or to protect our rights;
  • To comply with applicable laws and regulations;
  • To advise you of additional or new Services that may be of interest to your company;
  • To administer and manage Service Providers;
  • To work with business partners;
  • To improve and protect the integrity and security of our Services and our Websites;
  • To enforce any applicable contracts;
  • To administer a contest, promotion, survey, event, conference, webinar, or other website feature;
  • To consider you for employment;
  • To send periodic communications (the contact information that you provide may be used to send you information, including marketing, respond to inquiries, and/or other requests or questions);
  • In an emergency, where the health or security of an individual may be endangered;
  • In the event of a corporate reorganization, including, but not limited to, merger, acquisition, or sale; and
  • For any other purpose for which you have been notified, and if legally required where appropriate consent has been obtained.

If you receive marketing communications from us by email, we seek your opt-in consent to send you such communications by email in jurisdictions where that is required.  If we track whether or not you open any such email, we seek your opt-in consent to do so in jurisdictions where that is required.  You may, in any event, unsubscribe from the receipt of future electronic communications from us by clicking on the “unsubscribe” link provided in such communications or by emailing unsubscribe@cyxtera.com or unsubscribe@appgate.com , as applicable. Please be sure to contact the appropriate email address that is affiliated with the entity from whom you are trying to unsubscribe.

V. Security

We implement a variety of security measures to maintain the safety of your Personal Data when you enter, submit, or access your Personal Data, or when it is otherwise collected or Processed by us. We take reasonable and appropriate measures to secure your Personal Data.

VI. Cookies and Other Technologies 

When you visit our Websites, open an email that we send you, or interact with the communication features on our Websites, we may collect information about your usage or device by automated means or by using technologies such as cookies, web server logs, and web beacons. Please view Cyxtera’s Cookie Policy or AppGate’s Cookie Policy , as applicable, for information on our practices in relation to the use of these technologies.

At this time, we are not in a position to honor “do not track” signals from website browsers. However, you may refuse or delete cookies. If you do so, some of the functionality of our Website may be impaired. Additionally, you may still be identifiable and your usage may still be trackable by other means. Please refer to your browser’s “Help” instructions to learn more about how to manage cookies and the use of similar technologies.

VII. Third Party Sharing

Except as otherwise detailed herein, we do not sell, disclose, or otherwise transfer Personal Data we have collected from you to outside parties.

A. Service Providers.  We share Personal Data with Service Providers that we have retained to perform certain services and functions on our behalf, and these Service Providers have agreed to use the Personal Data solely as necessary to perform the services and functions in accordance with our instructions and subject to appropriate nondisclosure limitations.

B. Business Partners.  We may share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may be third parties that organize tradeshows, third party consultants and experts, and auditors.

C. Affiliated Entities.  We share Personal Data with entities that are under our common ownership or control (our “Affiliates”). Subject to local requirements, this Personal Data may be used to provide Services offered by our Affiliates, for Affiliates to provide support to the Affiliated entity that is sharing the Personal Data, or for any other purposes described herein.  For example, our Affiliates may share Personal Data with one another about our Customers, Service Providers, business partners, Representatives, prospective employees, and Website Visitors for direct marketing purposes.

D. Payment Processing.  We work with a payment processing partner to process certain credit card payments. If you make a credit card payment to us, our payment processing provider will store your full name and credit card details.

E. Fraud Prevention and Protection of Legal Rights.  We may use and disclose Personal Data to the appropriate legal, judicial, or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect our safety, rights, or property  and those of each of our Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Services or unauthorized access to any system, spamming, denial of service attacks, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.

F. Law Enforcement.  We may have to disclose the Personal Data of our Customers, Service Providers, business partners, Representatives, prospective employees, Website Visitors, or others if a court, law enforcement, or other public or government authority with appropriate competency requests that we provide that Personal Data and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.

G. Corporate Reorganization.  We may share your Personal Data with a third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other disposition of all or any portion of our business, asset or stocks, including in the event of bankruptcy or corporate restructuring. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, of which we will inform, where required.

VIII. Retention

We will keep the Personal Data that we collect for as long as is reasonably necessary to achieve the purpose for which you provided it, or to the extent necessary for us to protect our rights, or as required by applicable laws.

IX. Collection of Personal Data from Children 

Our Websites are intended for individuals 18 years of age and older. They are not directed at, marketed to, nor intended for, children under 18 years of age.  We do not knowingly collect any information, including Personal Data, from children under 18 years of age. If you believe that we have inadvertently collected Personal Data from a child under the age of 18, please contact us at the email address in Section XI below, and we will take immediate steps to delete it.

X. Changes to Privacy Policy

When we change this General Privacy Policy, including the GDPR Privacy Policy or Privacy Shield Policy, we will update the “Date Effective” and “Date Last Updated” provided with this General Privacy Policy and/or the effective date for the respective GDPR Privacy Policy or Privacy Shield Policy portions. We encourage you to view this General Privacy Policy, including the GDPR Privacy Policy and Privacy Shield Policy, when interacting with us to ensure you are aware of the current terms. We will provide adequate notice of any material changes and obtain your consent when legally required when making such changes to this General Privacy Policy, including the GDPR Privacy Policy and Privacy Shield Policy.

XI. Inquiries/Contact Us

You may have rights regarding your Personal Data depending on where you are and where your Personal Data is Processed. Please contact us at the applicable email address in this Section XI if you have questions in this regard or if you wish to update your Personal Data. Please note that if you have an account with us, you may update certain information through that account. We commit to resolving complaints about your privacy and our collection or use of your Personal Data. Should you have any questions regarding this General Privacy Policy, the GDPR Privacy Policy, or Privacy Shield Policy or any of its or their provisions, you may contact us at: privacy@cyxtera.com or privacy@appgate.com . Please ensure you contact the appropriate email address for the entity to which your questions relate.

XII. Governing Law; Venue; Waiver of Jury Trial and Class Actions

Unless applicable data protection / privacy laws provide otherwise, (a) the Privacy Policy is governed by the laws of the State of Florida, U.S.A, (b) you hereby agree that any dispute or claim raised or made by you against us relating to the Privacy Policy shall be subject to arbitration before a single arbitrator in Miami-Dade County, Florida in accordance with the Commercial Arbitration Rules of the American Arbitration Association and (c) you hereby waive all rights to bring or maintain any court action, jury trial or any class claim, class action, class arbitration, or other representative action, claim or proceeding against us in a court of law.    

 

CYTERA AND APPGATE

GDPR PRIVACY POLICY

Date Effective: April 17, 2020

I. Scope

Please read this document carefully. This GDPR Privacy Policy applies to the Processing of Personal Data by our entities located within the EEA, including in the UK and EU (listed in Section III below), in their role as Controllers, or as otherwise covered by the GDPR, when individuals:

  • visit or use our Websites;
  • interact with us on behalf of a Customer in connection with the provision of our Services;
  • interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
  • interact with us on behalf of a business partner in connection with our relationship with the business partner;
  • apply to work with us;
  • receive marketing communications from us; and/or
  • interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.

This GDPR Privacy Policy does not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers. We have no control over, and are not responsible for, any Personal Data that our Customers may store or host on their equipment or otherwise process while using our Services.  We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in this GDPR Privacy Policy.  For information related to how our Customers Process Personal Data, please contact the respective Customer directly. 

Furthermore, this GDPR Privacy Policy does not apply to any third-party website or service that may be linked to the Websites unless that website or service is controlled by us and displays this GDPR Privacy Policy. We have no control over, and are not responsible for, the data collection and/or handling practices of these third-party websites or services outside our Websites. We encourage you to read the privacy statements of any third-party websites or services linking to (or linked to via) the Website.  In the event of a conflict between this GDPR Privacy Policy and the General Privacy Policy, this GDPR Privacy Policy will prevail.  

II. Definitions

Please see the definitions as presented in the General Privacy Policy found here.

III. Identification of Controllers

Cyxtera’s entities located in the EEA/UK/EU that act as Controllers include the following:

  • Cyxtera Technology UK Limited
  • Cyxtera Germany GmbH
  • Cyxtera Netherlands B.V.

AppGate’s entities located in the EEA/UK/EU that act as Controllers include the following:

  • Cryptzone Group AB
  • Cryptzone UK Ltd.

For our Customers, Service Providers, business partners, and Representatives associated with us, the relevant Controller is the EEA/EU/UK entity with which you have contracted; or, if you did not contract with an EEA/EU/UK entity, the EEA/EU/UK entity as determined by us.  For job applicants who apply to work with us, the Controller is the EEA/EU/UK entity you applied to work for as determined by us.  

IV. Our Contact Details

For Cyxtera, if you have any questions or concerns as to how your Personal Data is Processed, please write to us at privacy@cyxtera.com or at 25 Canada Square Level 37, London, United Kingdom, E14 5LQ (Attn: Cyxtera Legal Department).

For AppGate, if you have any questions or concerns as to how your Personal Data is Processed, please write to us at privacy@appgate.com or at 25 Canada Square Level 37, London, United Kingdom, E14 5LQ (Attn: AppGate Legal Department).

V. Cyxtera’s Data Collection Practices

A. What Types of Personal Data Does Cyxtera Collect?

Cyxtera collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from Cyxtera and individuals that interact with Cyxtera by registering for, attending and/or otherwise taking part in Cyxtera’s trade events, webinars or conferences or who communicate with Cyxtera via email, phone or in person, in each case to operate its business for the specific purposes identified below.   

  • Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
  • Login Credentials include data such as usernames and passwords of individuals needed to access various Customer portals or applications used to place Service orders and receive Customer support or otherwise access Cyxtera systems.
  • Unique IDs include data such as IP addresses and geolocation data that we obtain from (a) Representatives, (b) prospective employees, (c) Website Visitors who access our customer portals or Websites, or (d) other individuals that interact with us.
  • Payment Information includes data such as bank name, account numbers, routing numbers, check numbers, and wire transfer IDs.
  • Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
  • Access Credentials and Visitation Records include data such as the dates, times and locations of access to our data centers, photographs of Representatives with access privileges, CCTV recordings, and biometric access credentials, including, fingerprint scans.
  • Website Records include data related your interactions with our Websites and other online content such as log data (i.e., preferences and settings, IP addresses, technical information about the device used to visit the Websites, and geolocation information) and traffic data (i.e., pages viewed, date stamps, time spent on a page, click through and clickstream data, queries made, search history, search results selected, comments made, type of service requested, and purchases made).
  • Education and Work History includes details such as attended schools, marks/grades, past employers, descriptions of roles performed, locations of employment, and reasons for leaving past employment.
  • Marketing and Event Records include the personal details of the Representative signing up to receive marketing materials as well as information collected from Representatives who complete a survey or form.  Marketing records also include the personal details of Representatives who register for, attend and/or otherwise take part in our trade events, webinars, or conferences as well as information about these events.

B. Why Does Cyxtera Collect Personal Data, What are the Sources of Personal Data, What are the Purposes for Processing, and What is the Lawful Basis?

This section of the GDPR Privacy Policy covers Cyxtera’s collection of data necessary for the establishment of relations with or provision of Services to existing Customers, the establishment of relationships with or receipt of services from our Service Providers, the establishment of relations with or interactions with business partners, interactions with our Website Visitors, interactions with applicants for employment, interactions with those that receive marketing communications from Cyxtera and interactions with those that register for, attend and/or otherwise take part in Cyxtera’s trade events, webinars or conferences or who communicate with Cyxtera via email, phone or in-person.  

The table below sets out the types of Personal Data Cyxtera Processes, the purposes of Processing such Personal Data, and Cyxtera’s lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for Cyxtera to pursue its legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for Cyxtera to comply with its legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.

Cyxtera’s Purpose of Processing Personal Data

Cyxtera’s Lawful Basis for Collecting Personal Data

To engage in transactions with Customers, Service Providers and business partners.  When a Customer places an order for our Services, Cyxtera Processes the following Categories of Personal Data to engage in and administer the relevant transactions necessary to deliver and provide such Services to its Customer (i.e., signing a contract or service order, creating an account, sending invoices, receiving payments, granting access to customer portals).  Cyxtera also collects and Processes such Personal Data when engaging with and purchasing products and services from Service Providers or business partners.

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Payment Information
  • Cyxtera has a legitimate business interest in processing Personal Data in order to engage in transactions with its Customers, Service Providers and business partners and efficiently run its business

 

To manage the security of our data center and office locations.  In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our data centers and office locations and monitor the security of these locations, Cyxtera collects and Processes the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or the prospective employee:

  • Personal Details
  • Unique IDs
  • Access Credentials and Visitation Records
  • Cyxtera has a legitimate business interest in protecting the security of its data centers and office locations

To provide customer and technical support.  Cyxtera collects and Processes the following categories of Personal Data to provide Customers and their Representatives with technical and general support:

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Customer Support Records
  • Cyxtera has a legitimate business interest in being able to provide its Customers with customer and technical support

To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, Cyxtera collects and Processes the following Categories of Personal Data from the Representatives or other individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries.  Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference:

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • Cyxtera has a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests

To market our Services and tailor our marketing and sales activities. Cyxtera may Process the following categories of Personal Data when marketing new and existing Services and features to its Customers and other persons and entities and in an effort to personalize such experience.  Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference:

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • Except in cases where opt-in consent is required by law for the processing of email addresses, IP addresses or other unique identifiers to send or process electronic communications (emails, texts, cookies, etc.), Cyxtera processes this data for marketing purposes on the basis of its legitimate interests

To analyze, improve, and optimize the use, function and performance of our Website and Services.  Cyxtera may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of its Website and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns.

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • Cyxtera has a legitimate business interest in improving and optimizing the use of its Website and Services

To comply with applicable laws, regulations and internal policies, practices, and procedures.  Cyxtera may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a request from a government agency or to defend a legal claim.  Additionally, Cyxtera may also be required to Process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures.

  • Legal Obligation
  • Cyxtera has a legitimate business interest in complying with all applicable laws, regulations, and internal policies

To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of all or any portion of Cyxtera’s business. In the event Cyxtera reorganizes its business operations or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all of the above categories of Personal Data with a third party.  Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws.

  • Cyxtera has a legitimate business interest in being able to carry out a reorganization, sale, merger, assignment, transfer or disposition of its assets or business should the need arise

To receive applications for employment. Cyxtera may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit the Website or other online locations where jobs may be posted and applications may be submitted:

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Education and Work History
  • Cyxtera has a legal obligation to collect certain information to confirm your right to work in the country to which you have applied
  • Otherwise, Cyxtera has a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment

VI. AppGate’s Data Collection Practices

A. What Types of Personal Data Does AppGate Collect?

AppGate collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from AppGate and individuals that interact with AppGate by registering for, attending and/or otherwise taking part in AppGate’s trade events, webinars or conferences or who communicate with AppGate via email, phone or in person, in each case to operate its business for the specific purposes identified below.   

  • Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
  • Login Credentials include data such as usernames and passwords of individuals needed to access various Customer portals or applications used to place Service orders and receive Customer support or otherwise access AppGate systems.
  • Unique IDs include data such as IP addresses and geolocation data that we obtain from (a) Representatives, (b) prospective employees, (c) Website Visitors who access our customer portals or Website or (d) other individuals that interact with us.
  • Payment Information includes data such as bank name, account numbers, routing numbers, check numbers, and wire transfer IDs.
  • Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
  • Access Credentials and Visitation Records include data such as the dates, times and locations of access to our offices and photographs and video recordings of Representatives and prospective employees that access our offices.
  • Website Records include data related your interactions with our Websites and other online content such as log data (i.e., preferences and settings, IP addresses, technical information about the device used to visit the Websites, and geolocation information) and traffic data (i.e., pages viewed, date stamps, time spent on a page, click through and clickstream data, queries made, search history, search results selected; comments made, type of service requested, and purchases made).
  • Education and Work History includes details such as attended schools, marks/grades, past employers, descriptions of roles performed, locations of employment, and reasons for leaving past employment.
  • Marketing and Event Records include the personal details of the Representative signing up to receive marketing materials as well as information collected from Representatives who complete a survey or form.  Marketing records also include the personal details of Representatives who register for, attend and/or otherwise take part in our trade events, webinars, or conferences as well as information about these events.

B. Why Does AppGate Collect Personal Data, What are the Sources of Personal Data, What are the Purposes for Processing, and What is the Lawful Basis?

This section of the GDPR Privacy Policy covers AppGate’s collection of data necessary for the establishment of relations with or provision of Services to existing Customers, the establishment of relationships with or receipt of services from our Service Providers, the establishment of relations with or interactions with business partners, interactions with our Website Visitors, interactions with applicants for employment, interactions with those that receive marketing communications from AppGate and interactions with those that register for, attend and/or otherwise take part in AppGate’s trade events, webinars or conferences or who communicate with AppGate via email, phone or in-person.

The table below sets out the types of Personal Data AppGate Processes, the purposes of Processing such Personal Data, and AppGate’s lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for AppGate to pursue its legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for AppGate to comply with its legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.

AppGate’s Purpose of Processing Personal Data

AppGate’s Lawful Basis for Collecting Personal Data

To engage in transactions with Customers, Service Providers and business partners.  When a Customer places an order for our Services, AppGate Processes the following Categories of Personal Data to engage in and administer the relevant transactions necessary to deliver and provide such Services to its Customer (i.e., signing a contract or service order, creating an account, sending invoices, receiving payments, granting access to customer portals).  AppGate also collects and Processes such Personal Data when engaging with and purchasing products and services from Service Providers or business partners.

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Payment Information
  • AppGate has a legitimate business interest in processing Personal Data in order to engage in transactions with its Customers, Service Providers and business partners and efficiently run its business

To manage the security of our office locations. In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our office locations and monitor the security of these locations, AppGate collects and Processes the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or from the prospective employee:

  • Personal Details
  • Unique IDs
  • Access Credentials and Visitation Records
  • AppGate has a legitimate business interest in protecting the security of its office locations

To provide customer and technical support.  AppGate collects and Processes the following categories of Personal Data to provide Customers and their Representatives with technical and general support:

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Customer Support Records
  • AppGate has a legitimate business interest in being able to provide its Customers with customer and technical support

To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, AppGate collects and Processes the following Categories of Personal Data from the Representatives or other individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. AppGate also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference:

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • AppGate has a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests

To market our Services and tailor our marketing and sales activities. AppGate may Process the following categories of Personal Data when marketing new and existing Services and features to its Customers and other persons and entities and in an effort to personalize such experience. AppGate also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference: 

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • Except in cases where opt-in consent is required by law for the processing of email addresses, IP addresses or other unique identifiers to send or process electronic communications (emails, texts, cookies, etc.), AppGate processes this data for marketing purposes on the basis of its legitimate interests

To analyze, improve, and optimize the use, function and performance of our Websites and Services.  AppGate may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of its Websites and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns.

  • Personal Details
  • Unique IDs
  • Website Records
  • Marketing and Event Records
  • AppGate has a legitimate business interest in improving and optimizing the use of its Websites and Services

To comply with applicable laws, regulations and internal policies, practices, and procedures.  AppGate may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a request from a government agency or to defend a legal claim.  Additionally, AppGate may also be required to Process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures.

  • Legal Obligation
  • AppGate has a legitimate business interest in complying with all applicable laws, regulations, and internal policies

To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of all or any portion of AppGate’s business. In the event AppGate reorganizes its business operations or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all of the above categories of Personal Data with a third party.  Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws.

  • AppGate has a legitimate business interest in being able to carry out a reorganization, sale, merger, assignment, transfer or disposition of its assets or business should the need arise

To receive applications for employment. AppGate may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including, from prospective employees who visit the Website, or other locations where jobs may be posted and applications may be submitted:

  • Personal Details
  • Login Credentials
  • Unique IDs
  • Education and Work History
  • AppGate has a legal obligation to collect information to confirm your right to work in the country to which you have applied
  • Otherwise, AppGate has a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment

VII. Opting Out of Marketing Communications

If at any time you wish for us to cease communicating with you with marketing materials, please take advantage of the “unsubscribe” link that you will find in any of our written electronic communications or email us at unsubscribe@cyxtera.com or unsubscribe@appgate.com, as applicable. Please be sure to contact the appropriate email address that is affiliated with the entity from whom you are trying to unsubscribe. Please note you may still receive some communications such as those related to the Services you are receiving or in response to inquiries you have made to us.     

VIII. Sharing with Third Parties

Except as described below, we will not share or disclose Personal Data with or to outside third parties (meaning entities outside of the Group). The Group may share Personal Data between each other.

We will never sell Personal Data collected for the purposes of Service provision, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside of the Group.

A. Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events, and other related activities. We provide such Personal Data or authorize the processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contracts with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization.

B. Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to, third parties that organize tradeshows, third party consultants and experts, and auditors.

C. Affiliated Entities. We share Personal Data with our Affiliates. Subject to local requirements, this Personal Data may be used to provide Services offered by our Affiliates, for the Affiliates to provide support to the Affiliated entity that is sharing the Personal Data or for any other purposes described in this GDPR Privacy Policy. For example, Affiliates may share Personal Data about our Customers, Service Providers, business partners, Representatives, prospective employees, and Website Visitors for direct marketing purposes.

D. Payment Processing. We work with a payment processing partner to process credit card payments. If you make any credit card payment to us, our payment processing provider will store your full name and credit card details.

E. Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate legal, judicial or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, rights, or property of the Group and of our Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Services or unauthorized access to any system, spamming, denial of service attacks, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.

F. Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, Representatives, applicants, Website Visitors or others if a court, law enforcement or other public or government authority with appropriate competency requests that we provide that Personal Data and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.

G. Corporate Reorganization. We may transfer the Personal Data of our Customers, Service Providers, business partners, Representatives, Website Visitors or others to a third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other disposition of all or any portion of our business, asset or stocks, including in the event of bankruptcy or corporate restructuring. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, of which we will inform, where required.

IX. Cross-Border Transfers

If we transfer EEA/EU/UK/Switzerland Personal Data to Group Affiliates in the US, such transfers are covered by the EU-US Privacy Shield or Swiss-U.S. Privacy Shield, as applicable, certification (the list of self-certified Group Affiliates can be found here.) Please view our Privacy Shield Policy for information on these practices and our commitment to the Privacy Shield Principles. In the event of a conflict between the General Privacy Policy or this GDPR Privacy Policy and the Privacy Shield Policy, the Privacy Shield Policy will prevail. In circumstances where we act as a Processor to our Customers, we will also put in place a GDPR-compliant data processing agreement. 

Where we transfer EEA/EU/UK/Switzerland Personal Data to Group Affiliates that are not covered by the EU-US or Swiss-U.S., as applicable, Privacy Shield Framework, we will put in place appropriate intra-group agreements in accordance with the GDPR requirements, including use of the EU Commission-approved Standard Contractual Clauses for Controllers as appropriate. If we transfer EEA/EU/UK/Switzerland Personal Data to third parties, such as Service Providers or business partners in countries outside the EEA/EU/UK/Switzerland that are not considered to provide an adequate level of data protection or pursuant to the Privacy Shield Framework, we will put in place the EU Standard Contractual Clauses or other relevant international transfer documentation that complies with the GDPR requirements. We will also put in place a GDPR-compliant data processing agreement.

X. Data Retention

We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in this GDPR Privacy Policy.  We may retain Personal Data as required by law, such as for tax, legal, or accounting purposes.

With respect to Cyxtera, video footage of visits to our data centers is retained for 90 days. For current Customers, badge activity and badge holder profiles stored within our access control system are retained for the duration of the contract and for up to 12 months thereafter.  Such information may be retained for longer if it is included in other types of records that are subject to a longer retention period.

When, in our reasonable discretion, we have no justifiable business need to Process your Personal Data (for example, after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to Process your Personal Data, and we have no other legal obligations to retain your Personal Data), we will either delete it or anonymize it.

XI. Data Subject Rights under the GDPR

The GDPR grants individuals who are in the EU/EEA/UK the following rights, with some limitations. Individuals may contact us, at the address provided in the Section IV captioned “Our Contact Details” above to exercise any of those rights and we will respond with the requested action or information, or will let you know why such rights do not apply to you.   

These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section V or VI, as applicable, of this GDPR Privacy Policy and otherwise provide services.

A. Right Not to Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right not to provide your consent, and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal.

B. Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.

C. Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.

D. Right of Erasure. In certain circumstances, you have the right to request that we erase Personal Data concerning you; for example, if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain it.

We may need to retain certain Personal Data when legally required, for internal, record keeping purposes, and/or in order to complete any transactions initiated prior to an individual’s request to remove or delete their Personal Data. Where we are unable to delete data from our systems, we will anonymize it so it will no longer be tied to your identity.

E. Right to Restrict Processing. In certain circumstances, you have the right to request that we restrict the Processing of the Personal Data that we have collected about you; for example, where you believe that the Personal Data that we hold about you is not accurate or lawfully held.

F. Right to Data Portability.  In certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible.

G. Right to Object to the Processing.  In certain circumstances, you have the right to request that we stop Processing your Personal Data, including where we rely on legitimate interests as legal basis in the tables on the details of Processing provided above.  If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe” link provided in such communications.  Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes in the Services), and you cannot opt out from receiving these messages, unless you stop receiving our Services.

H. Right Not to be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated processing - including profiling - that produces legal effects or similarly affects you.

I. Right to Complain to a Supervisory Authority.  You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern.

To exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section IV “Our Contact Details” above, so that we may consider your request under applicable law. We may ask that you provide the following Personal Data for us to address your request speedily:   

  • The name, User ID, pseudonym, email address, or other identifier you have provided to us or if you have not otherwise previously interacted with us, your first and last name and an address where we can correspond with you;
  • The country in which you are located;
  • A clear description of the Personal Data or content you wish to receive or to be deleted or corrected, or the action you wish to be taken; and
  • Sufficient information to allow us to locate the content or Personal Data to be deleted, removed, or corrected.

For your protection, we may only implement requests with respect to the Personal Data that are associated with the particular email address that you use to send us your request.  In addition, please note that, depending on the nature of your inquiry, request, or complaint, we may need to verify your identity before implementing your request and may require proof of identity, such as in the form of a government issued ID and proof of your physical address.  We will try to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by applicable laws.  However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or, in some cases, to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested.

CYXTERA AND APPGATE EU-U.S. AND SWISS-U.S. PRIVACY SHIELD POLICY

Last Updated: May 13, 2020

I. Scope & Application

This EU-U.S. and Swiss-U.S. Privacy Shield Policy (the “Privacy Shield Policy”) addresses the transfer of personal data from the EEA/EU/UK/Switzerland to Group Affiliates in the United States 1. As noted in our GDPR Privacy Policy, we may Process EEA/EU/UK or Swiss Personal Data received from or about individuals who:

  • visit or use our Websites;  
  • interact with us on behalf of a Customer in connection with the provision of our Services;
  • interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
  • interact with us on behalf of a business partner in connection with our relationship with the business partner;
  • apply to work with us;
  • receive marketing communications from us; and/or
  • interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.

1This Privacy Shield Privacy policy supplements the General Privacy Policy and applies to EEA/EU/UK and Swiss Personal Data that is received from the EEA/EU/UK or Switzerland by the Group in the US and is within the scope of the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield 2.The following Group affiliates are covered by this Privacy Shield Policy:  Brainspace Corporation; Catbird Networks, Inc.; Cryptzone International Holdings, Inc.; Cryptzone North America, Inc.; Cryptzone Worldwide, Inc.; Cyxtera Canada, LLC; Cyxtera Communications, LLC; Cyxtera Data Centers, Inc.; Cyxtera DC Holdings, Inc.; Cyxtera DC Parent Holdings, Inc.; Cyxtera Federal Group, Inc.; Cyxtera Management, Inc.; Cyxtera Cybersecurity, Inc. d/b/a AppGate; Cyxtera Technologies, Inc.; Easy Solutions Enterprises Corp.; Easy Solutions, Inc.; Immunity Federal Services, LLC; Immunity Products, LLC; Immunity Services, LLC; Immunity, Inc.; SIS Holdings LP.

If there is any conflict between the terms of this Privacy Shield Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  If this Privacy Shield Policy is inconsistent with the General Privacy Policy and/or GDPR Privacy Policy with regard to the Processing of EEA/EU/UK or Swiss Personal Data, this Privacy Shield Policy shall prevail.

For more information about the Privacy Shield program, or to view our certification, please visit https://www.privacyshield.gov/.

------------------------

1This Privacy Shield Policy reflects the internal reorganization of our corporate structure whereby Cyxtera Cybersecurity, Inc. d/b/a AppGate, including its subsidiaries and Affiliates (“AppGate”), was spun-out from Cyxtera Technologies, Inc., including its post-reorganization subsidiaries and Affiliates (“Cyxtera”).  Cyxtera and AppGate may be referred to herein collectively as “the Group,” “we,” “our,” or “us” except for certain provisions where the context is limited to Cyxtera or AppGate as separate organizations.

2The Group’s agreements with its Customers determine whether Personal Data that is transferred to points outside the European Economic Area, European Union, the United Kingdom or Switzerland are to be covered by the EU-U.S. Privacy Shield Principles or Swiss-U.S. Privacy Shield Principles or another approved adequacy mechanism, including the EU Standard

II. Definitions

Please see the definitions as presented in the General Privacy Policy found here.

III. Compliance with EU-U.S. and Swiss-U.S. Privacy Shield

The Group complies with the EU-U.S. and Swiss-U.S. Privacy Shield Framework Principles and the Supplemental Principles (collectively, the “Principles”), as confirmed in further detail below.

A. Notice

    The Group adheres to the Notice Principle. The Group has certified its adherence to the Principles insofar as they apply to the Group in its role as Controller or Processor as the case may be in the given context.

    1. The Group’s Collection, Use, and Disclosure of EEA/EU/UK and Swiss Personal Data

    The Group collects, uses, and discloses EEA/EU/UK and Swiss Personal Data relating to Website Visitors, Representatives, and other individuals with whom it interacts when performing, advertising, and demonstrating its Services or in connection with other interactions. The Group may also Process EEA/EU/UK or Swiss Personal Data of applicants to work at the Group. The Group also may Process EEA/EU/UK or Swiss Personal Data as a Processor pursuant to the Customer’s or other person’s or entity’s instruction.

    ------------------------

    Contractual Clauses. In the event that the relevant agreement is silent on this point, this Privacy Shield Policy shall apply to the EEA/EU (including UK) and Swiss Personal Data covered by such agreement.

    2. Means for Individuals to Limit Use and Disclosure of EEA/EU/UK and Swiss Personal Data

    In our role as Controllers, we adhere to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles.  We offer individuals choice regarding the processing of their EEA/EU/UK and Swiss Personal Data, including where relevant Sensitive Data, as described in Section III.B of this Privacy Shield Policy.

    3. Inquiries and Complaints, and Right of Recourse

    Individuals may contact us to submit inquiries or complaints regarding their adherence to the Principles and to request access to their EEA/EU/UK and Swiss Personal Data by contacting us via email at privacy@cyxtera.com or privacy@appgate.com , depending on the applicable entity with which you are interacting, or writing to us at 2333 Ponce de Leon Blvd., Suite 900, Coral Gables, Florida 33134, Attention: Cyxtera Legal Department or AppGate Legal Department, as applicable. Please see Section III.F of this Privacy Shield Policy for more information regarding the right to request access to EEA/EU/UK and Swiss Personal Data.  

    For information about how to pursue unresolved complaints relating to this Privacy Shield Policy, please see Section III.G below.

    4. The Group Is Subject to the Investigatory and Enforcement Powers of the Federal Trade Commission and Complies With Lawful Data Requests

    The Group is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). The Group may be required to disclose EEA/EU/UK and Swiss Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

    5. Liability in the Case of Onward Transfers

    In the context of an onward transfer, we are responsible for the Processing of EEA/EU/UK and Swiss Personal Data that we receive and subsequently transfer to a Service Provider acting on our behalf. We remain liable under the Principles if our Service Provider Processes such EEA/EU/UK or Swiss Personal Data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

B. Choice

    We may obtain consent directly from individuals to Process their EEA/EU/UK and Swiss Personal Data in connection with the use of our Websites or through other interactions between the Group and Representatives associated with Customers or other persons or entities and applicants for employment.

    We offer individuals who are covered by this Privacy Shield Policy the opportunity to choose whether his or her EEA/EU/UK and Swiss Personal Data is to be disclosed to a third party (“opt out”) other than Service Providers acting on our behalf, which are contractually obligated to adhere to the onward transfer provisions (see Section III.C below).

    When acting as a Controller, we also offer individuals who are covered by this Privacy Shield Policy the opportunity to opt out if we provide notice that we intend to use his or her EEA/EU/UK or Swiss Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or authorized by the individual in question. Individuals may opt out by sending an email to: unsubscribe@cyxtera.com or unsubscribe@appgate.com , depending on the entity with which you are interacting. If opting out, please provide, at a minimum, your name and identify your employer in order to assist us in verifying your identity, and please identify the uses or disclosures of EEA/EU/UK and Swiss Personal Data for which you are choosing to opt out. Note that opting out may affect our ability to provide our Services and impact our interactions with individuals.

    With regard to Sensitive Data, when we act as a Controller, we will obtain affirmative express consent (opt-in) if Sensitive Data is to be disclosed to a third party or is to be used for a purpose other than that for which it was originally collected or subsequently authorized by the individuals through the exercise of opt in choice, unless the EEA/EU/UK or Swiss Personal Data in question is subject to an exception contained in the Sensitive Data Supplemental Principle.

    In cases where we are acting as a Processor, we will assist the other party in complying with the Choice Principle.

    Please see Section III.A.2 of this Privacy Shield Policy for more information regarding our adherence to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles.  

C. Accountability for Onward Transfer

    We adhere to the Accountability for Onward Transfer Principle and the Obligatory Contracts for Onward Transfer Supplemental Principle.

D. Security

    We adhere to the Security Principle. We take reasonable and appropriate measures to protect EEA/EU/UK and Swiss Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the Processing and the nature of the EEA/EU/UK and Swiss Personal Data.In cases where we are acting as a Processor, we secure EEA/EU/UK and Swiss Personal Data in accordance with our contractual obligations to the other party.

E. Data Integrity and Purpose Limitation

    In our role as Controllers, the Group adheres to the Data Integrity and Purpose Limitation Principle. Our collection and use of EEA/EU/UK and Swiss Personal Data is limited to the EEA/EU/UK and Swiss Personal Data that is relevant for the purposes of Processing, including, for example, those that, depending on the circumstances, reasonably serve Customer relations, the application process, compliance and legal considerations, auditing and due diligence, security and fraud prevention, preserving or defending the Group’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. This may include Processing in the manner described in the Performing Due Diligence and Conducting Audits Supplemental Principle.

    We will keep the EEA/EU/UK and Swiss Personal Data in accordance with the terms and conditions of the relevant agreement in cases where the Group is acting as a Processor or agent. In cases where we are acting as a Controller, we may retain the EEA/EU/UK and Swiss Personal Data for the longer of any of the following: (i) the period during which an individual is actively using the Websites, serving as a Customer Representative, acting as a Representative of a Service Provider of the Group or otherwise interacting with the Group; (ii) the period specified in the unambiguous consent to the Processing of its data by us for specified purposes; or (iii) as long as necessary for us to meet any applicable legal requirements or to protect our legitimate interests, including with respect to actual or potential legal claims.

F. Access

    In our role as a Controller, we adhere to the Access Principle and Access Supplemental Principle. Individuals may obtain access to EEA/EU/UK and Swiss Personal Data about them that we hold. For this purpose, “access” means that individuals have the right to: (i) obtain from the Group confirmation of whether or not we are Processing EEA/EU/UK and Swiss Personal Data relating to them; (ii) have communicated to them EEA/EU/UK and Swiss Personal Data relating to them so that they can verify its accuracy and the lawfulness of the Processing; and (iii) have the EEA/EU/UK and Swiss Personal Data corrected, amended, or deleted where it is inaccurate or Processed in violation of the Principles.Individuals may request to access their EEA/EU/UK and Swiss Personal Data using the contact information listed in Section III.A.3 above.

    We may limit or deny access as provided in the Principles, including where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. If we determine that access should be restricted in any particular instance, we will provide as appropriate to the individual requesting access an explanation of why the Group has made a determination to restrict access and a contact point for any further inquiries. We are not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. We will respond to all access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual.  

    In cases where the Group is acting as a Processor, we will assist the other party in meeting its obligation to provide access, or we will obtain authorization from the other party prior to providing access or refer the requesting individual to the appropriate contact at the other party.

    We may charge a fee for providing access where necessary or appropriate.

    Please see Section III.A.3 of this Privacy Shield Policy for more information regarding our adherence to the Access Principle and Access Supplemental Principle.

G. Recourse, Enforcement, and Liability

    The Group adheres to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles. We have established in-house procedures for receiving and addressing complaints. Individuals may contact us to submit inquiries or complaints regarding our adherence to the Principles using the contact information listed in Section III.A.3 above. We will respond to individuals within 45 days of receiving a complaint.  

    The Group utilizes the American Arbitration Association, an alternative dispute resolution provider based in the United States, to investigate and expeditiously resolve complaints and disputes that cannot be resolved internally, at no cost to the individual, by reference to the Principles. Unresolved complaints may be directed to the American Arbitration Association using the complaint submission form found here. Individuals are encouraged to raise any complaints they have with us before proceeding to the American Arbitration Association. The American Arbitration Association complaint recourse mechanism described here is available to individuals whose EEA/EU/UK and Swiss Personal Data has been collected or Processed by the Group under the Principles. The American Arbitration Association complaint recourse mechanism is not available to individuals whose EEA/EU/UK and Swiss Personal Data has been collected or Processed by the Group under any other EEA/EU/UK or Swiss data transfer adequacy mechanism. Under certain conditions specified on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.

    The Group has implemented a self-assessment procedure to verify that the attestations and assertions that we have made about our Privacy Shield privacy practices are true and that they have been implemented as presented and in accordance with the Principles. We are obligated to remedy problems arising out of any failure to comply with the Principles.

    Please see Section III.A.3 of this Privacy Shield Policy for more information regarding our adherence to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles.

H. Adherence to the Principles

    Where applicable, the Group adheres to, or its data practices with respect to EEA/EU/UK and Swiss Personal Data are consistent with, the Principles, including those not specifically listed above, such as the Supplemental Principles of: Self-Certification; Public Record and Publicly Available Information; and Access Requests by Public Authorities.