EU-U.S. and Swiss-U.S. Data Privacy Framework Principles

EU-U.S. and Swiss-U.S. Data Privacy Framework Principles

Effective: March 6, 2024

I. Scope & Application

The purpose of this policy is to ensure Cyxtera Technologies (“Cyxtera”) compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles Policy set forth by the United States Department of Commerce with respect to the collection, use and retention of Personal Data transferred from the European Union, United Kingdom, and Switzerland to the United States as further described herein (collectively, the “DPF Policy”). This DPF Policy outlines our commitment to the DPF Principles (the “Principles”) and our practices for implementing the principles.

The Group complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF),(collectively the “Data Privacy Framework Principles” or the “DPF”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EU, the UK, and Switzerland to the United States. Although The Group no longer relies on the DPF, as a lawful transfer mechanism, but instead relies on Standard Contractual Clauses, Group Affiliates in the United States continue to apply the DPF to the data previously transferred to them pursuant to the DPF.

This policy can be found at cyxtera.com/data-privacy-framework-principles.

II. Definitions

Please see the definitions as presented in the General Privacy Policy found here.

III. Compliance with Data Privacy Principles Framework

The Group complies with EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.

The Group has certified to the U.S. Department of Commerce that it adheres to the Swiss‑U.S. Data Privacy Framework Principles (Swiss‑U.S. DPF Principles) with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss‑U.S. DPF.

If there is any conflict between the terms in this privacy policy and the EU‑U.S. DPF Principles, the UK Extension to the EU‑U.S. DPF, and/or the Swiss‑U.S. DPF Principles, the Principles shall govern. If this Policy is inconsistent with the company’s General Privacy Policy, where applicable, and/or the company’s GDPR Privacy Policy regarding the Processing of EU/UK or Swiss Personal Data, this Policy shall prevail.

To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.

Further detail below regarding compliance with DPF:

A. Notice

The Group adheres to the Notice Principle. The Group has certified its adherence to the Principles insofar as they apply to the Group in its role as Controller or Processor as the case may be in the given context, in regard to Personal Data that is covered by this Privacy Framework Policy.

1. The Group’s Collection, Use, and Disclosure of EEA/EU/UK and Swiss Personal Data

The Group collects, uses, and discloses EEA/UK/Swiss Personal Data relating to Website Visitors, Representatives, and other individuals with whom it interacts when performing, advertising, and demonstrating its Services or in connection with other interactions. The Group may also Process EEA/UK/Swiss Personal Data of applicants to work at the Group. The Group also may Process EEA/UK/Swiss Personal Data as a Processor pursuant to the Customer’s or other person’s or entity’s instruction.

2. Means for Individuals to Limit Use and Disclosure of EEA/EU/UK and Swiss Personal Data

In our role as Controllers, we adhere to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles. We offer individuals whose Personal Data is subject to this Policy choice regarding the processing of their EU/UK/Swiss Personal Data, including where relevant Sensitive Data, as described in Section III.B of this Policy.

3. Inquiries and Complaints, and Right of Recourse

Individuals whose Personal Data is covered by this Privacy Framework Policy may contact us to submit inquiries or complaints regarding their adherence to the Principles and to request access to their EEA/UK/Swiss Personal Data by contacting us via email at privacy@cyxtera.com, or writing to us at 2333 Ponce de Leon Blvd., Suite 900, Coral Gables, Florida 33134, Attention: Cyxtera Legal Department. Please see Section III.F of this Privacy Framework Policy for more information regarding the right to request access to EEA/UK/Swiss Personal Data.

For information about how to pursue unresolved complaints relating to this Privacy Framework Policy, please see Section III.G below.

4. The Group Is Subject to the Investigatory and Enforcement Powers of the Federal Trade Commission and Complies With Lawful Data Requests

The Group is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) regarding Personal Data received and processed pursuant to the Data Privacy Framework Principles. The Group may be required to disclose EEA/UK/Swiss Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

5. Liability in the Case of Onward Transfers

In the context of an onward transfer, we are responsible for the Processing of EEA, UK and Swiss Personal Data received pursuant to the Data Privacy Framework Principles and subsequently transferred to a Service Provider acting on our behalf. We remain liable under the Principles if our Service Provider Processes such EEA/UK/Swiss Personal Data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.

B. Choice

We may obtain consent directly from individuals to Process their EEA/UK/Swiss Personal Data in connection with the use of our Websites or through other interactions between the Group and Representatives associated with Customers or other persons or entities and applicants for employment.

We offer individuals who are covered by this Privacy Framework Policy the opportunity to choose whether his or her EEA/UK/Swiss Personal Data is to be disclosed to a third party (“opt out”) other than Service Providers acting on our behalf, which are contractually obligated to adhere to the onward transfer provisions (see Section III.C below).

When acting as a Controller, we also offer individuals who are covered by this Privacy Framework Policy the opportunity to opt out if we provide notice that we intend to use his or her EEA/UK/Swiss Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or authorized by the individual in question. Individuals may opt out by sending an email to: unsubscribe@cyxtera.com. If opting out, please provide, at a minimum, your name and identify your employer in order to assist us in verifying your identity, and please identify the uses or disclosures of EEA/UK/Swiss Personal Data for which you are choosing to opt out. Note that opting out may affect our ability to provide our Services and impact our interactions with individuals.

With regard to Sensitive Data, when we act as a Controller, we will obtain affirmative express consent (opt-in) if Sensitive Data is to be disclosed to a third party or is to be used for a purpose other than that for which it was originally collected or subsequently authorized by the individuals through the exercise of opt in choice, unless the EEA/UK/Swiss Personal Data in question is subject to an exception contained in the Sensitive Data Supplemental Principle.

In cases where we are acting as a Processor, we will assist the other party in complying with the Choice Principle.

Please see Section III.A.2 of this Privacy Framework Policy for more information regarding our adherence to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles

C. Accountability for Onward Transfer

For Personal Data covered by the Privacy Framework Policy, we adhere to the Accountability for Onward Transfer Principle and the Obligatory Contracts for Onward Transfer Supplemental Principle.

D. Security

For Personal Data covered by this Privacy Framework Policy, we adhere to the Security Principle. We take reasonable and appropriate measures to protect EEA/UK/Swiss Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the Processing and the nature of the EEA/UK/Swiss Personal Data. In cases where we are acting as a Processor, we secure EEA/UK/Swiss Personal Data in accordance with our contractual obligations to the other party.

E. Data Integrity and Purpose Limitation

In our role as Controllers, the Group adheres to the Data Integrity and Purpose Limitation Principle for Personal Data covered by this Privacy Framework Policy. Our collection and use of EEA/UK/Swiss Personal Data is limited to the EEA, UK and Swiss Personal Data that is relevant for the purposes of Processing, including, for example, those that, depending on the circumstances, reasonably serve Customer relations, the application process, compliance and legal considerations, auditing and due diligence, security and fraud prevention, preserving or defending the Group’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. This may include Processing in the manner described in the Performing Due Diligence and Conducting Audits Supplemental Principle.

We will keep the EEA/UK/Swiss Personal Data covered by this Privacy Framework Policy in accordance with the terms and conditions of the relevant agreement in cases where the Group is acting as a Processor or agent. In cases where we are acting as a Controller, we may retain the EEA/UK/Swiss Personal Data for the longer of any of the following: (i) the period during which an individual is actively using the Websites, serving as a Customer Representative, acting as a Representative of a Service Provider of the Group or otherwise interacting with the Group; (ii) the period specified in the unambiguous consent to the Processing of its data by us for specified purposes; or (iii) as long as necessary for us to meet any applicable legal requirements or to protect our legitimate interests, including with respect to actual or potential legal claims.

F. Access

In our role as a Controller, we adhere to the Access Principle and Access Supplemental Principle for Personal Data covered by this Privacy Framework Policy. Individuals may obtain access to EEA, UK and Swiss Personal Data about them that we hold. For this purpose, “access” means that individuals have the right to: (i) obtain from the Group confirmation of whether or not we are Processing EEA, UK and Swiss Personal Data relating to them; (ii) have communicated to them EEA, UK and Swiss Personal Data relating to them so that they can verify its accuracy and the lawfulness of the Processing; and (iii) have the EEA, UK and Swiss Personal Data corrected, amended, or deleted where it is inaccurate or Processed in violation of the Principles. Individuals may request to access their EEA, UK and Swiss Personal Data using the contact information listed in Section III.A.3 above.

We may limit or deny access as provided in the Principles, including where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. If we determine that access should be restricted in any particular instance, we will provide as appropriate to the individual requesting access an explanation of why the Group has made a determination to restrict access and a contact point for any further inquiries. We are not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. We will respond to all access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual.

In cases where the Group is acting as a Processor, we will assist the other party in meeting its obligation to provide access, or we will obtain authorization from the other party prior to providing access or refer the requesting individual to the appropriate contact at the other party.

We may charge a fee for providing access where necessary or appropriate.

Please see Section III.A.3 of this Privacy Framework Policy for more information regarding our adherence to the Access Principle and Access Supplemental Principle.

G. Recourse, Enforcement, and Liability

For Personal Data covered by this Policy, the Group adheres to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles. We have established in-house procedures for receiving and addressing complaints. Individuals may contact us to submit inquiries or complaints regarding our adherence to the Principles using the contact information listed in Section III.A.3 above. We will respond to individuals within 45 days of receiving a complaint.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Cyxtera commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to International Centre for Dispute Resolution (“ICDR”), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://go.adr.org/dpf_irm.html for more information or to file a complaint. The services of International Centre for Dispute Resolution (“ICDR”) are provided at no cost to you.

The Group has implemented a self-assessment procedure to verify that the attestations and assertions that we have made about our privacy practices are true and that they have been implemented as presented and in accordance with the Principles. We are obligated to remedy problems arising out of any failure to comply with the Principles.

Please see Section III.A.3 of this Policy for more information regarding our adherence to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles.

H. Adherence to the Principles

Where applicable, the Group adheres to, or its data practices with respect to EEA, UK and Swiss Personal Data received pursuant to this Privacy Framework Policy are consistent with, the Principles, including those not specifically listed above, such as the Supplemental Principles of: Self-Certification; Public Record and Publicly Available Information; and Access Requests by Public Authorities.

©2024 Cyxtera Technologies, Inc. General Privacy Policy Cookie Policy Terms of Use UK Modern Slavery Statement Accessibility Canada