GDPR Privacy Policy

Effective: March 7, 2024

I. Scope

Please read this document carefully. This GDPR Privacy Policy applies to the Processing of Personal Data by our entities located within the EEA, including in the UK (listed in Section III below), in their role as Controllers, or as otherwise covered by the GDPR, when individuals:

visit or use our Websites;
interact with us on behalf of a Customer in connection with the provision of our Services;
interact with us on behalf of a Service Provider in connection with the products and services our Service Provider provides to us;
interact with us on behalf of a business partner in connection with our relationship with the business partner;
apply to work with us;
receive marketing communications from us; and/or
interact with us by registering for, attending and/or otherwise taking part in our trade events, webinars, or conferences or communicate with us via email, phone, or in-person interactions.

This GDPR Privacy Policy does not apply to any Personal Data Processed, stored, or hosted by Customers using any of our Services or to the extent that we Process Personal Data in the role of a Processor on behalf of our Customers. Where we act as Processors on behalf of our Customers, that Processing is subject to the protections contained in our data processing agreements with Customers. We have no control over, and are not responsible for, any Personal Data that our Customers may store or host on their equipment or otherwise process while using our Services. We are not responsible for the privacy or data security practices of our Customers, which may differ from those set forth in this GDPR Privacy Policy. For information related to how our Customers Process Personal Data, please contact the respective Customer directly.

Furthermore, this GDPR Privacy Policy does not apply to any third-party website or service that may be linked to the Websites unless that website or service is controlled by us and displays this GDPR Privacy Policy. We have no control over, and are not responsible for, the data collection and/or handling practices of these third-party websites or services outside our Websites. We encourage you to read the privacy statements of any third-party websites or services linking to (or linked to via) the Website. In the event of a conflict between this GDPR Privacy Policy and the General Privacy Policy, this GDPR Privacy Policy will prevail

II. Definitions

Please see the definitions as presented in the General Privacy Policy found here.

III. Identification of Controllers

Cyxtera’s entities located in the EEA/UK that act as Controllers include the following:

Cyxtera Technology UK Limited
Cyxtera Germany GmbH
Cyxtera Netherlands B.V.

For our Customers, Service Providers, business partners, and Representatives associated with us, the relevant Controller is the EEA/UK entity with which you have contracted; or, if you did not contract with an EEA/UK entity, the EEA/UK entity as determined by us. For job applicants who apply to work with us, the Controller is the EEA/UK entity you applied to work for as determined by us.

IV. Our Contact Details

If you have any questions or concerns as to how your Personal Data is Processed, please write to us at privacy@cyxtera.com or at 5 Churchill Place, 10^th Floor, London E14 5HU (Attn: Cyxtera Legal Department).

V. Cyxtera’s Data Collection Practices

A. What Types of Personal Data Does Cyxtera Collect?

Cyxtera collects and processes the following categories of Personal Data from Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, individuals that receive marketing communications from Cyxtera and individuals that interact with Cyxtera by registering for, attending and/or otherwise taking part in Cyxtera’s trade events, webinars or conferences or who communicate with Cyxtera via email, phone or in person, in each case to operate its business for the specific purposes identified below.

Personal Details include data such as names, titles, company names, departments, email addresses, physical street addresses, telephone numbers, and social media usernames of individuals.
Login Credentials include data such as usernames and passwords of individuals needed to access various Customer portals or applications used to place Service orders and receive Customer support or otherwise access Cyxtera systems.
Unique IDs include data such as IP addresses and geolocation data that we obtain from (a) Representatives, (b) prospective employees, (c) Website Visitors who access our customer portals or Websites, or (d) other individuals that interact with us.
Payment Information includes data such as bank name, account numbers, routing numbers, check numbers, and wire transfer IDs.
Customer Support Records include data such as call details and other similar data regarding customer support communications and chat sessions with Representatives.
Access Credentials and Visitation Records include data such as the dates, times and locations of access to our data centers, photographs of Representatives with access privileges, CCTV recordings, and biometric access credentials, including, fingerprint scans.
Website Records include data related your interactions with our Websites and other online content such as log data (i.e., preferences and settings, IP addresses, technical information about the device used to visit the Websites, and geolocation information) and traffic data (i.e., pages viewed, date stamps, time spent on a page, click through and clickstream data, queries made, search history, search results selected, comments made, type of service requested, and purchases made).
Education and Work History includes details such as attended schools, marks/grades, past employers, descriptions of roles performed, locations of employment, and reasons for leaving past employment.
Marketing and Event Records include the personal details of the Representative signing up to receive marketing materials as well as information collected from Representatives who complete a survey or form. Marketing records also include the personal details of Representatives who register for, attend and/or otherwise take part in our trade events, webinars, or conferences as well as information about these events.

B. Why Does Cyxtera Collect Personal Data, What are the Sources of Personal Data, What are the Purposes for Processing, and What is the Lawful Basis?

This section of the GDPR Privacy Policy covers Cyxtera’s collection of data necessary for the establishment of relations with or provision of Services to existing Customers, the establishment of relationships with or receipt of services from our Service Providers, the establishment of relations with or interactions with business partners, interactions with our Website Visitors, interactions with applicants for employment, interactions with those that receive marketing communications from Cyxtera and interactions with those that register for, attend and/or otherwise take part in Cyxtera’s trade events, webinars or conferences or who communicate with Cyxtera via email, phone or in-person.

The table below sets out the types of Personal Data Cyxtera Processes, the purposes of Processing such Personal Data, and Cyxtera’s lawful basis for doing so. The lawful basis will vary with the type of Processing involved and will typically include Processing (i) necessary for Cyxtera to pursue its legitimate business interests, (ii) based on your consent, where this is required by data protection laws, and (iii) necessary for Cyxtera to comply with its legal obligations. Where we rely on our legitimate business interests, we have explained what the grounds are for that reliance.

Cyxtera’s Purpose of Processing Personal Data	Cyxtera’s Lawful Basis for Collecting Personal Data
To engage in transactions with Customers, Service Providers and business partners. When a Customer places an order for our Services, Cyxtera Processes the following Categories of Personal Data to engage in and administer the relevant transactions necessary to deliver and provide such Services to its Customer (i.e., signing a contract or service order, creating an account, sending invoices, receiving payments, granting access to customer portals). Cyxtera also collects and Processes such Personal Data when engaging with and purchasing products and services from Service Providers or business partners. Personal Details Login Credentials Unique IDs Payment Information	Cyxtera has a legitimate business interest in processing Personal Data in order to engage in transactions with its Customers, Service Providers and business partners and efficiently run its business.
To manage the security of our data center and office locations. In order to grant a Customer, Service Provider, business partner or prospective employee access rights to our data centers and office locations and monitor the security of these locations, Cyxtera collects and Processes the following categories of Personal Data from the Representatives of such Customer, Service Provider or business partner or the prospective employee: Personal Details Unique IDs Access Credentials and Visitation Records	Cyxtera has a legitimate business interest in protecting the security of its data centers and office locations.
To provide customer and technical support. Cyxtera collects and Processes the following categories of Personal Data to provide Customers and their Representatives with technical and general support: Personal Details Login Credentials Unique IDs Customer Support Records	Cyxtera has a legitimate business interest in being able to provide its Customers with customer and technical support.
To communicate and respond to requests and inquiries. When a Customer, Service Provider, business partner or other person or entity contacts us by email, phone, text or by submitting a contact form on our Website, Cyxtera collects and Processes the following Categories of Personal Data from the Representatives or other individuals in order to communicate with Customer, Service Provider, business partner or such other person or entity, as applicable, and respond to their requests and inquiries. Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference: Personal Details Unique IDs Website Records Marketing and Event Records	Cyxtera has a legitimate business interest in being able to communicate with its Customers, Service Providers, business partners and other persons or entities and respond to their inquiries and requests.
To market our Services and tailor our marketing and sales activities. Cyxtera may Process the following categories of Personal Data when marketing new and existing Services and features to its Customers and other persons and entities and in an effort to personalize such experience. Cyxtera also collects and Processes the following Personal Data from Representatives who register for a trade event, webinar, conference: Personal Details Unique IDs Website Records Marketing and Event Records	Except in cases where opt-in consent is required by law for the processing of email addresses, IP addresses or other unique identifiers to send or process electronic communications (emails, texts, cookies, etc.), Cyxtera processes this data for marketing purposes on the basis of its legitimate interests.
To analyze, improve, and optimize the use, function and performance of our Website and Services. Cyxtera may Process the following categories of Personal Data in order to analyze, improve, and optimize the use, function and performance of its Website and Services, including for quality assurance and training purposes, as well as for marketing and sales campaigns. Personal Details Unique IDs Website Records Marketing and Event Records	Cyxtera has a legitimate business interest in improving and optimizing the use of its Website and Services.
To comply with applicable laws, regulations and internal policies, practices, and procedures. Cyxtera may be required to disclose certain categories of Personal Data to comply with applicable laws and regulations, for example, to respond to a request from a government agency or to defend a legal claim. Additionally, Cyxtera may also be required to Process certain categories of Personal Data when conducting internal audits and investigations to ensure compliance with internal and external policies, practices, and procedures.	Legal Obligation Cyxtera has a legitimate business interest in complying with all applicable laws, regulations, and internal policies.
To effectuate a reorganization, sale, merger, assignment, transfer or other disposition of all or any portion of Cyxtera’s business. In the event Cyxtera reorganizes its business operations or enters into a transaction involving the sale, merger, assignment, transfer, or disposition of all or part of its business, it may be required to share all of the above categories of Personal Data with a third party. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws.	Cyxtera has a legitimate business interest in being able to carry out a reorganization, sale, merger, assignment, transfer or disposition of its assets or business should the need arise.
To receive applications for employment. Cyxtera may Process the following categories of Personal Data when receiving, reviewing, using, and storing applications for employment, including from prospective employees who visit the Website or other online locations where jobs may be posted and applications may be submitted: Personal Details Login Credentials Unique IDs Education and Work History	Cyxtera has a legal obligation to collect certain information to confirm your right to work in the country to which you have applied. Otherwise, Cyxtera has a legitimate business interest in Processing the Personal Data of job applicants who seek to join the company to assess them as candidates for employment.

VII. Opting Out of Marketing Communications

If at any time you wish for us to cease communicating with you with marketing materials, please take advantage of the “unsubscribe” link that you will find in any of our written electronic communications or email us at unsubscribe@cyxtera.com . Please note you may still receive some communications such as those related to the Services you are receiving or in response to inquiries you have made to us.

VIII. Sharing with Third Parties

Except as described below, we will not share or disclose Personal Data with or to outside third parties (meaning entities outside of the Group). The Group may share Personal Data between each other.

We will never sell Personal Data collected for the purposes of Service provision, or otherwise obtained from third parties, nor knowingly permit it to be used for marketing purposes by any person outside of the Group.

Service Providers. We may share Personal Data with our Service Providers in connection with advertising, hosting, data analytics, information technology and infrastructure, order management and fulfillment, billing, contract management, email delivery, auditing, events, and other related activities. We provide such Personal Data or authorize the processing of such Personal Data only as necessary to enable our Service Providers to perform their designated functions. Our contracts with them (1) require them to act only under our instruction and for the purpose(s) directed by us with respect to such Personal Data; and (2) prohibit them from sharing such Personal Data with any third parties without our authorization.
Business Partners. We may also share your Personal Data with trusted business partners pursuant to our contractual arrangements with them, which will include appropriate safeguards to protect any Personal Data that we share with these partners. These may include, but are not limited to, third parties that organize tradeshows, third party consultants and experts, and auditors.
Affiliated Entities. We share Personal Data with our Affiliates. Subject to local requirements, this Personal Data may be used to provide Services offered by our Affiliates, for the Affiliates to provide support to the Affiliated entity that is sharing the Personal Data or for any other purposes described in this GDPR Privacy Policy. For example, Affiliates may share Personal Data about our Customers, Service Providers, business partners, Representatives, prospective employees, and Website Visitors for direct marketing purposes.
Payment Processing. We work with a payment processing partner to process credit card payments. If you make any credit card payment to us, our payment processing provider will store your full name and credit card details.
Fraud Prevention and Protection of Legal Rights. We may use and disclose Personal Data to the appropriate legal, judicial or law enforcement authorities and our advisors and investigators: (i) when we believe, in our sole discretion, that such disclosure is necessary to investigate, prevent, or respond to suspected illegal or fraudulent activity or to protect the safety, rights, or property of the Group and of our Customers, Service Providers, business partners, Representatives, Website Visitors, prospective employees, or others; (ii) when we suspect abuse of the Website or Services or unauthorized access to any system, spamming, denial of service attacks, or similar attacks; (iii) to exercise or protect legal rights or defend against legal claims; or (iv) to allow us to pursue available remedies or limit the damages that we may sustain.
Law Enforcement. We may have to disclose the Personal Data of our Customers, Service Providers, business partners, Representatives, applicants, Website Visitors or others if a court, law enforcement or other public or government authority with appropriate competency requests that we provide that Personal Data and we believe, in our reasonable discretion, that such request was made in compliance with applicable law.
Corporate Reorganization. We may transfer the Personal Data of our Customers, Service Providers, business partners, Representatives, Website Visitors or others to a third party in the case of the reorganization, sale, merger, joint venture, assignment, transfer or other disposition of all or any portion of our business, asset or stocks, including in the event of bankruptcy or corporate restructuring. Except as otherwise provided by a bankruptcy or other court, the use and disclosure of all transferred Personal Data will be subject to compliance with applicable data protection laws. Any Personal Data that an individual submits or that is collected after the reorganization may be subject to a new privacy policy adopted by the successor entity, of which we will inform, where required.

IX. Cross-Border Transfers

For cross-border transfers of EEA, UK or Swiss Personal Data to Group Affiliates in the US and/or to third parties, such as Service Providers or business partners in countries outside the EEA/UK/Switzerland that are not considered to provide an adequate level of data protection, Cyxtera will adopt safeguards consistent with applicable data protection law including, but not limited to, transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) Principles data protection law, or to a recipient that has executed appropriate standard contractual clauses (“SCCs”) in each case as adopted or approved in accordance with EEA, UK, or Swiss data protection law.

Although Cyxtera no longer relies on the Data Privacy Framework Principles, as a lawful transfer mechanism, our Affiliates in the U.S. remain subject to the regulatory enforcement powers of the U.S. Federal Trade Commission with respect to Personal Data that was transferred to them pursuant to the Data Privacy Framework Principles. Please click here to view our Data Privacy Framework Principles Policy covering Personal Data transferred from the EEA/UK/Switzerland to the United States pursuant to the effective Data Privacy Framework Principles. The list of self-certified Group Affiliates can be found here.

X. Data Retention

We will retain Personal Data that we collect and Process where we have a justifiable business need to do so and/or for as long as it is needed to fulfill the purposes outlined in this GDPR Privacy Policy. We may retain Personal Data as required by law, such as for tax, legal, or accounting purposes.

With respect to Cyxtera, video footage of visits to our data centers is retained for 90 days. For current Customers, badge activity and badge holder profiles stored within our access control system are retained for the duration of the contract and for up to 12 months thereafter. Such information may be retained for longer if it is included in other types of records that are subject to a longer retention period.

When, in our reasonable discretion, we have no justifiable business need to Process your Personal Data (for example, after all of our necessary interactions have ended, our internal record keeping policies no longer require us to continue to Process your Personal Data, and we have no other legal obligations to retain your Personal Data), we will either delete it or anonymize it.

XI. Data Subject Rights under the GDPR

The GDPR grants individuals who are in the EEA/UK the following rights, with some limitations. Individuals may contact us, at the address provided in the Section IV captioned “Our Contact Details” above to exercise any of those rights and we will respond with the requested action or information, or will let you know why such rights do not apply to you.

These rights are not absolute and are subject to various conditions under applicable data protection and privacy legislation and the laws and regulations to which we are subject.

In some cases, the exercise of these rights (for example, erasure, objection, restriction or the withholding or withdrawing of consent to processing) may make it impossible for us to achieve the purposes identified in Section V or VI, as applicable, of this GDPR Privacy Policy and otherwise provide services.

Right Not to Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to Process certain Personal Data. Where we do so, you have the right not to provide your consent, and the right to withdraw your consent at any time. If you withdraw your consent, this will not affect the lawfulness of the Processing conducted based on consent before its withdrawal.
Right of Access. You have the right to obtain confirmation as to whether or not we collect or Process Personal Data concerning you and, if this is the case, you have the right to request a copy of such Personal Data in digital format.
Right of Rectification. You have the right to require that we correct any inaccurate Personal Data concerning you, and that we complete incomplete Personal Data.
Right of Erasure. In certain circumstances, you have the right to request that we erase Personal Data concerning you; for example, if it is no longer necessary for the purposes for which it was originally collected and we do not otherwise have a legitimate reason to retain it.

We may need to retain certain Personal Data when legally required, for internal, record keeping purposes, and/or in order to complete any transactions initiated prior to an individual’s request to remove or delete their Personal Data. Where we are unable to delete data from our systems, we will anonymize it so it will no longer be tied to your identity.
Right to Restrict Processing. In certain circumstances, you have the right to request that we restrict the Processing of the Personal Data that we have collected about you; for example, where you believe that the Personal Data that we hold about you is not accurate or lawfully held.
Right to Data Portability. In certain circumstances, you have the right to receive the Personal Data concerning you that you have provided to us in a structured, commonly used, machine readable format, and for us to transmit the data to another entity where technically feasible.
Right to Object to the Processing. In certain circumstances, you have the right to request that we stop Processing your Personal Data, including where we rely on legitimate interests as legal basis in the tables on the details of Processing provided above. If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe” link provided in such communications. Please also note that if you do opt out of receiving commercial electronic communications from us, we may still send you important administrative messages (such as updates about your account or changes in the Services), and you cannot opt out from receiving these messages, unless you stop receiving our Services.
Right Not to be Subject to Decisions Based Solely on Automated Processing that Produce Legal Effects. We do not make decisions based solely on automated processing - including profiling - that produces legal effects or similarly affects you.
Right to Complain to a Supervisory Authority. You have the right to lodge a complaint with a Supervisory Authority if you believe that our Processing of Personal Data relating to you is inconsistent with our obligations under the GDPR. In this situation, we ask you please consider contacting us first, so that we can try and assist with your query or address your concern.

To exercise any of your rights as set forth herein, please contact us in writing, via email or postal mail as indicated in Section IV “Our Contact Details” above, so that we may consider your request under applicable law. We may ask that you provide the following Personal Data for us to address your request speedily:

The name, User ID, pseudonym, email address, or other identifier you have provided to us or if you have not otherwise previously interacted with us, your first and last name and an address where we can correspond with you;
The country in which you are located;
A clear description of the Personal Data or content you wish to receive or to be deleted or corrected, or the action you wish to be taken; and
Sufficient information to allow us to locate the content or Personal Data to be deleted, removed, or corrected.

For your protection, we may only implement requests with respect to the Personal Data that are associated with the particular email address that you use to send us your request. In addition, please note that, depending on the nature of your inquiry, request, or complaint, we may need to verify your identity before implementing your request and may require proof of identity, such as in the form of a government issued ID and proof of your physical address. We will try to comply with your request as soon as reasonably practicable and in any case within the timelines prescribed by applicable laws. However, we reserve the right to refuse to act on a request that is manifestly unfounded or excessive (for example because it is repetitive) and/or, in some cases, to charge a fee that takes into account the administrative costs for providing the information or the communication or taking the action requested.