Date Last Updated: September 27, 2021
- visit or use our Websites;
- interact with us on behalf of a Customer in connection with the provision of our Services;
- interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
- interact with us on behalf of a business partner in connection with our relationship with the business partner;
- apply to work with us;
- receive marketing communications from us; and/or
- interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.
III. Identification of Controllers
Cyxtera’s entities located in the EEA/UK that act as Controllers include the following:
- Cyxtera Technology UK Limited
- Cyxtera Germany GmbH
- Cyxtera Netherlands B.V.
For our Customers, Service Providers, business partners, and Representatives associated with us, the relevant Controller is the EEA/UK entity with which you have contracted; or, if you did not contract with an EEA/UK entity, the EEA/UK entity as determined by us. For job applicants who apply to work with us, the Controller is the EEA/UK entity you applied to work for as determined by us.
IV. Our Contact Details
If you have any questions or concerns as to how your Personal Data is Processed, please write to us at email@example.com or at 5 Churchill Place, 10th Floor, London E14 5HU (Attn: Cyxtera Legal Department).
V. Cyxtera’s Data Collection Practices
A. What Types of Personal Data Does Cyxtera Collect?
Cyxtera collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from Cyxtera and individuals that interact with Cyxtera by registering for, attending and/or otherwise taking part in Cyxtera’s trade events, webinars or conferences or who communicate with Cyxtera via email, phone or in person, in each case to operate its business for the specific purposes identified below.
- Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
- Login Credentials include data such as usernames and passwords of individuals needed to access various Customer portals or applications used to place Service orders and receive Customer support or otherwise access Cyxtera systems.
- Unique IDs include data such as IP addresses and geolocation data that we obtain from (a) Representatives, (b) prospective employees, (c) Website Visitors who access our customer portals or Websites, or (d) other individuals that interact with us.
- Payment Information includes data such as bank name, account numbers, routing numbers, check numbers, and wire transfer IDs.
- Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
- Access Credentials and Visitation Records include data such as the dates, times and locations of access to our data centers, photographs of Representatives with access privileges, CCTV recordings, and biometric access credentials, including, fingerprint scans.
- Website Records include data related your interactions with our Websites and other online content such as log data (i.e., preferences and settings, IP addresses, technical information about the device used to visit the Websites, and geolocation information) and traffic data (i.e., pages viewed, date stamps, time spent on a page, click through and clickstream data, queries made, search history, search results selected, comments made, type of service requested, and purchases made).
- Education and Work History includes details such as attended schools, marks/grades, past employers, descriptions of roles performed, locations of employment, and reasons for leaving past employment.
- Marketing and Event Records include the personal details of the Representative signing up to receive marketing materials as well as information collected from Representatives who complete a survey or form. Marketing records also include the personal details of Representatives who register for, attend and/or otherwise take part in our trade events, webinars, or conferences as well as information about these events.
B. Why Does Cyxtera Collect Personal Data, What are the Sources of Personal Data, What are the Purposes for Processing, and What is the Lawful Basis?
The table below sets out the types of Personal Data Cyxtera Processes, the purposes of Processing such Personal Data, and Cyxtera’s lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for Cyxtera to pursue its legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for Cyxtera to comply with its legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.
Cyxtera’s Purpose of Processing Personal Data
Cyxtera’s Lawful Basis for Collecting Personal Data
To engage in transactions with Customers, Service Providers and business partners. When a Customer places an order for our Services, Cyxtera Processes the following Categories of Personal Data to engage in and administer the relevant transactions necessary to deliver and provide such Services to its Customer (i.e., signing a contract or service order, creating an account, sending invoices, receiving payments, granting access to customer portals). Cyxtera also collects and Processes such Personal Data when engaging with and purchasing products and services from Service Providers or business partners.
To manage the security of our data center and office locations. In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our data centers and office locations and monitor the security of these locations, Cyxtera collects and Processes the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or the prospective employee:
To provide customer and technical support. Cyxtera collects and Processes the following categories of Personal Data to provide Customers and their Representatives with technical and general support:
To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, Cyxtera collects and Processes the following Categories of Personal Data from the Representatives or other individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference:
To market our Services and tailor our marketing and sales activities. Cyxtera may Process the following categories of Personal Data when marketing new and existing Services and features to its Customers and other persons and entities and in an effort to personalize such experience. Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference:
To analyze, improve, and optimize the use, function and performance of our Website and Services. Cyxtera may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of its Website and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns.
To comply with applicable laws, regulations and internal policies, practices, and procedures. Cyxtera may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a request from a government agency or to defend a legal claim. Additionally, Cyxtera may also be required to Process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures.
To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of all or any portion of Cyxtera’s business. In the event Cyxtera reorganizes its business operations or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all of the above categories of Personal Data with a third party. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws.
To receive applications for employment. Cyxtera may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit the Website or other online locations where jobs may be posted and applications may be submitted:
VII. Opting Out of Marketing Communications
If at any time you wish for us to cease communicating with you with marketing materials, please take advantage of the “unsubscribe” link that you will find in any of our written electronic communications or email us at firstname.lastname@example.org . Please note you may still receive some communications such as those related to the Services you are receiving or in response to inquiries you have made to us.
VIII. Sharing with Third Parties
Except as described below, we will not share or disclose Personal Data with or to outside third parties (meaning entities outside of the Group). The Group may share Personal Data between each other.
We will never sell Personal Data collected for the purposes of Service provision, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside of the Group.
- Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events, and other related activities. We provide such Personal Data or authorize the processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contracts with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization.
- Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to, third parties that organize tradeshows, third party consultants and experts, and auditors.
- Payment Processing. We work with a payment processing partner to process credit card payments. If you make any credit card payment to us, our payment processing provider will store your full name and credit card details.
- Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate legal, judicial or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, rights, or property of the Group and of our Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Services or unauthorized access to any system, spamming, denial of service attacks, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.
- Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, Representatives, applicants, Website Visitors or others if a court, law enforcement or other public or government authority with appropriate competency requests that we provide that Personal Data and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.
IX. Cross-Border Transfers
Where we transfer EEA/UK/Swiss Personal Data to U.S. Group Affiliates that are not covered by the EU-US or Swiss-U.S. Privacy Shield Framework, we will put in place appropriate intra-group agreements in accordance with the GDPR/Swiss requirements, as applicable, including use of the EU Commission-approved/Switzerland-approved, as applicable, Standard Contractual Clauses for Controllers as appropriate. If we transfer EEA/UK/Swiss Personal Data to third parties, such as Service Providers or business partners in countries outside the EEA/UK/Switzerland that are not considered to provide an adequate level of data protection and are not covered by the Privacy Shield Framework, we will put in place the EU Standard Contractual Clauses or Swiss Standard Contractual Clauses, as applicable, or other relevant international transfer documentation that complies with the GDPR or Swiss, as applicable, requirements. We will also put in place a GDPR or Switzerland, as applicable, compliant data processing agreement.
X. Data Retention
With respect to Cyxtera, video footage of visits to our data centers is retained for 90 days. For current Customers, badge activity and badge holder profiles stored within our access control system are retained for the duration of the contract and for up to 12 months thereafter. Such information may be retained for longer if it is included in other types of records that are subject to a longer retention period.
When, in our reasonable discretion, we have no justifiable business need to Process your Personal Data (for example, after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to Process your Personal Data, and we have no other legal obligations to retain your Personal Data), we will either delete it or anonymize it.
XI. Data Subject Rights under the GDPR
The GDPR grants individuals who are in the EEA/UK the following rights, with some limitations. Individuals may contact us, at the address provided in the Section IV captioned “Our Contact Details” above to exercise any of those rights and we will respond with the requested action or information, or will let you know why such rights do not apply to you.
These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.
- Right Not to Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right not to provide your consent, and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal.
- Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.
- Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.
- Right of Erasure. In certain circumstances, you have the right to request that we erase Personal Data concerning you; for example, if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain it.
We may need to retain certain Personal Data when legally required, for internal, record keeping purposes, and/or in order to complete any transactions initiated prior to an individual’s request to remove or delete their Personal Data. Where we are unable to delete data from our systems, we will anonymize it so it will no longer be tied to your identity.
- Right to Restrict Processing. In certain circumstances, you have the right to request that we restrict the Processing of the Personal Data that we have collected about you; for example, where you believe that the Personal Data that we hold about you is not accurate or lawfully held.
- Right to Data Portability. In certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible.
- Right to Object to the Processing. In certain circumstances, you have the right to request that we stop Processing your Personal Data, including where we rely on legitimate interests as legal basis in the tables on the details of Processing provided above. If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe” link provided in such communications. Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes in the Services), and you cannot opt out from receiving these messages, unless you stop receiving our Services.
- Right Not to be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated processing - including profiling - that produces legal effects or similarly affects you.
- Right to Complain to a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern.
To exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section IV “Our Contact Details” above, so that we may consider your request under applicable law. We may ask that you provide the following Personal Data for us to address your request speedily:
- The name, User ID, pseudonym, email address, or other identifier you have provided to us or if you have not otherwise previously interacted with us, your first and last name and an address where we can correspond with you;
- The country in which you are located;
- A clear description of the Personal Data or content you wish to receive or to be deleted or corrected, or the action you wish to be taken; and
- Sufficient information to allow us to locate the content or Personal Data to be deleted, removed, or corrected.
For your protection, we may only implement requests with respect to the Personal Data that are associated with the particular email address that you use to send us your request. In addition, please note that, depending on the nature of your inquiry, request, or complaint, we may need to verify your identity before implementing your request and may require proof of identity, such as in the form of a government issued ID and proof of your physical address. We will try to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by applicable laws. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or, in some cases, to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested.