EU-U.S. and Swiss-U.S. Privacy Shield Policy
Effective: October 20, 2021
I. Scope & Application
This EU-U.S. and Swiss-U.S. Privacy Shield Policy (the “Privacy Shield Policy”) covers personal information transferred from the EEA/UK/Switzerland to the United States pursuant to the Privacy Shield Framework before it was invalidated by the Court of Justice of the European Union in July 2020. Although Cyxtera no longer relies on the Privacy Shield Framework as a lawful transfer mechanism but instead relies on Standard Contractual Clauses, Group Affiliates in the United States continue to apply the Privacy Shield Principles to the data previously transferred to them pursuant to the Privacy Shield Framework.
For more information about the Privacy Shield program, or to view our certification and the list of self-certified Group Affiliates, please visit https://www.privacyshield.gov/
III. Compliance with EU-U.S. and Swiss-U.S. Privacy Shield
With regard to Personal Data received pursuant to the effective Privacy Shield Framework, the Group complies with the EU-U.S. and Swiss-U.S. Privacy Shield Framework Principles and the Supplemental Principles (collectively, the “Principles”), as confirmed in further detail below.
The Group adheres to the Notice Principle. The Group has certified its adherence to the Principles insofar as they apply to the Group in its role as Controller or Processor as the case may be in the given context, in regard to Personal Data that is covered by this Privacy Shield Policy.
1. The Group’s Collection, Use, and Disclosure of EEA/EU/UK and Swiss Personal Data
The Group collects, uses, and discloses EEA/UK/Swiss Personal Data relating to Website Visitors, Representatives, and other individuals with whom it interacts when performing, advertising, and demonstrating its Services or in connection with other interactions. The Group may also Process EEA/UK/Swiss Personal Data of applicants to work at the Group. The Group also may Process EEA/UK/Swiss Personal Data as a Processor pursuant to the Customer’s or other person’s or entity’s instruction.
2. Means for Individuals to Limit Use and Disclosure of EEA/EU/UK and Swiss Personal Data
In our role as Controllers, we adhere to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles. We offer individuals whose Personal Data is subject to this Privacy Shield Policy choice regarding the processing of their EEA/UK/Swiss Personal Data, including where relevant Sensitive Data, as described in Section III.B of this Privacy Shield Policy.
3. Inquiries and Complaints, and Right of Recourse
Individuals whose Personal Data is covered by this Privacy Shield Policy may contact us to submit inquiries or complaints regarding their adherence to the Principles and to request access to their EEA/UK/Swiss Personal Data by contacting us via email at firstname.lastname@example.org, or writing to us at 2333 Ponce de Leon Blvd., Suite 900, Coral Gables, Florida 33134, Attention: Cyxtera Legal Department. Please see Section III.F of this Privacy Shield Policy for more information regarding the right to request access to EEA/UK/Swiss Personal Data.
For information about how to pursue unresolved complaints relating to this Privacy Shield Policy, please see Section III.G below.
4. The Group Is Subject to the Investigatory and Enforcement Powers of the Federal Trade Commission and Complies With Lawful Data Requests
The Group is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) in regard to Personal Data received and Processed pursuant to the Privacy Shield Framework. The Group may be required to disclose EEA/UK/Swiss Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
5. Liability in the Case of Onward Transfers
In the context of an onward transfer, we are responsible for the Processing of EEA, UK and Swiss Personal Data received pursuant to the Privacy Shield Framework and subsequently transferred to a Service Provider acting on our behalf. We remain liable under the Principles if our Service Provider Processes such EEA/UK/Swiss Personal Data in a manner inconsistent with the Principles, unless we prove that we are not responsible for the event giving rise to the damage.
We may obtain consent directly from individuals to Process their EEA/UK/Swiss Personal Data in connection with the use of our Websites or through other interactions between the Group and Representatives associated with Customers or other persons or entities and applicants for employment.
We offer individuals who are covered by this Privacy Shield Policy the opportunity to choose whether his or her EEA/UK/Swiss Personal Data is to be disclosed to a third party (“opt out”) other than Service Providers acting on our behalf, which are contractually obligated to adhere to the onward transfer provisions (see Section III.C below).
When acting as a Controller, we also offer individuals who are covered by this Privacy Shield Policy the opportunity to opt out if we provide notice that we intend to use his or her EEA/UK/Swiss Personal Data for a purpose that is materially different from the purpose(s) for which it was originally collected or authorized by the individual in question. Individuals may opt out by sending an email to: email@example.com. If opting out, please provide, at a minimum, your name and identify your employer in order to assist us in verifying your identity, and please identify the uses or disclosures of EEA/UK/Swiss Personal Data for which you are choosing to opt out. Note that opting out may affect our ability to provide our Services and impact our interactions with individuals.
With regard to Sensitive Data, when we act as a Controller, we will obtain affirmative express consent (opt-in) if Sensitive Data is to be disclosed to a third party or is to be used for a purpose other than that for which it was originally collected or subsequently authorized by the individuals through the exercise of opt in choice, unless the EEA/UK/Swiss Personal Data in question is subject to an exception contained in the Sensitive Data Supplemental Principle.
In cases where we are acting as a Processor, we will assist the other party in complying with the Choice Principle.
Please see Section III.A.2 of this Privacy Shield Policy for more information regarding our adherence to the Choice Principle and the Sensitive Data and Choice – Timing of Opt Out Supplemental Principles
C. Accountability for Onward Transfer
For Personal Data covered by the Privacy Shield Policy, we adhere to the Accountability for Onward Transfer Principle and the Obligatory Contracts for Onward Transfer Supplemental Principle.
For Personal Data covered by this Privacy Shield Policy, we adhere to the Security Principle. We take reasonable and appropriate measures to protect EEA/UK/Swiss Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the Processing and the nature of the EEA/UK/Swiss Personal Data. In cases where we are acting as a Processor, we secure EEA/UK/Swiss Personal Data in accordance with our contractual obligations to the other party.
E. Data Integrity and Purpose Limitation
In our role as Controllers, the Group adheres to the Data Integrity and Purpose Limitation Principle for Personal Data covered by this Privacy Shield Policy. Our collection and use of EEA/UK/Swiss Personal Data is limited to the EEA, UK and Swiss Personal Data that is relevant for the purposes of Processing, including, for example, those that, depending on the circumstances, reasonably serve Customer relations, the application process, compliance and legal considerations, auditing and due diligence, security and fraud prevention, preserving or defending the Group’s legal rights, or other purposes consistent with the expectations of a reasonable person given the context of the collection. This may include Processing in the manner described in the Performing Due Diligence and Conducting Audits Supplemental Principle.
We will keep the EEA/UK/Swiss Personal Data covered by this Privacy Shield Policy in accordance with the terms and conditions of the relevant agreement in cases where the Group is acting as a Processor or agent. In cases where we are acting as a Controller, we may retain the EEA/UK/Swiss Personal Data for the longer of any of the following: (i) the period during which an individual is actively using the Websites, serving as a Customer Representative, acting as a Representative of a Service Provider of the Group or otherwise interacting with the Group; (ii) the period specified in the unambiguous consent to the Processing of its data by us for specified purposes; or (iii) as long as necessary for us to meet any applicable legal requirements or to protect our legitimate interests, including with respect to actual or potential legal claims.
In our role as a Controller, we adhere to the Access Principle and Access Supplemental Principle for Personal Data covered by this Privacy Shield Policy. Individuals may obtain access to EEA, UK and Swiss Personal Data about them that we hold. For this purpose, “access” means that individuals have the right to: (i) obtain from the Group confirmation of whether or not we are Processing EEA, UK and Swiss Personal Data relating to them; (ii) have communicated to them EEA, UK and Swiss Personal Data relating to them so that they can verify its accuracy and the lawfulness of the Processing; and (iii) have the EEA, UK and Swiss Personal Data corrected, amended, or deleted where it is inaccurate or Processed in violation of the Principles. Individuals may request to access their EEA, UK and Swiss Personal Data using the contact information listed in Section III.A.3 above.
We may limit or deny access as provided in the Principles, including where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. If we determine that access should be restricted in any particular instance, we will provide as appropriate to the individual requesting access an explanation of why the Group has made a determination to restrict access and a contact point for any further inquiries. We are not required to provide access unless it is supplied with sufficient information to allow it to confirm the identity of the person making the request. We will respond to all access requests within a reasonable time period, in a reasonable manner, and in a form that is readily intelligible to the individual.
In cases where the Group is acting as a Processor, we will assist the other party in meeting its obligation to provide access, or we will obtain authorization from the other party prior to providing access or refer the requesting individual to the appropriate contact at the other party.
We may charge a fee for providing access where necessary or appropriate.
Please see Section III.A.3 of this Privacy Shield Policy for more information regarding our adherence to the Access Principle and Access Supplemental Principle.
G. Recourse, Enforcement, and Liability
For Personal Data covered by this Privacy Shield Policy, the Group adheres to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles. We have established in-house procedures for receiving and addressing complaints. Individuals may contact us to submit inquiries or complaints regarding our adherence to the Principles using the contact information listed in Section III.A.3 above. We will respond to individuals within 45 days of receiving a complaint.
The Group utilizes the American Arbitration Association, an alternative dispute resolution provider based in the United States, to investigate and expeditiously resolve complaints and disputes that cannot be resolved internally, at no cost to the individual, by reference to the Principles. Unresolved complaints may be directed to the American Arbitration Association using the complaint submission form found here. Individuals are encouraged to raise any complaints they have with us before proceeding to the American Arbitration Association. The American Arbitration Association complaint recourse mechanism described here is available to individuals whose EEA, UK and Swiss Personal Data has been collected or Processed by the Group under the Principles. The American Arbitration Association complaint recourse mechanism is not available to individuals whose EEA, UK and Swiss Personal Data has been collected or Processed by the Group under any other EEA, UK or Swiss data transfer adequacy mechanism. Under certain conditions, specified on the Privacy Shield website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
The Group has implemented a self-assessment procedure to verify that the attestations and assertions that we have made about our Privacy Shield privacy practices are true and that they have been implemented as presented and in accordance with the Principles. We are obligated to remedy problems arising out of any failure to comply with the Principles.
Please see Section III.A.3 of this Privacy Shield Policy for more information regarding our adherence to the Recourse, Enforcement, and Liability Principle and the Verification and Dispute Resolution and Enforcement Supplemental Principles.
H. Adherence to the Principles
Where applicable, the Group adheres to, or its data practices with respect to EEA, UK and Swiss Personal Data received pursuant to this Privacy Shield Policy are consistent with, the Principles, including those not specifically listed above, such as the Supplemental Principles of: Self-Certification; Public Record and Publicly Available Information; and Access Requests by Public Authorities.